search

EventID 24: Session has been disconnected

This event, logged to the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational channel, is logged when an RDP connection is terminated.

circle-info

This event is logged on the destination endpoint.

hashtag
Analysis Value

Usernamechevron-rightEvidence of Network Activitychevron-rightSource Identificationchevron-right

hashtag
Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

βœ…

Server 2019

βœ…

Windows 10

βœ…

Server 2016

βœ…

Windows 8

βœ…

Server 2012

βœ…

Windows 7

βœ…

Server 2008

βœ…

Windows Vista

βœ…

Server 2003

❌

Windows XP

❌

hashtag
Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

hashtag
Artifact Interpretation

Field
Interpretation
Reference

UserData/EventXML/User

This field logs only the username and domain that the RDP connection had.

Username

UserData/EventXML/Address

This field provides the source IP address of an RDP session.

Source Identification

UserData/EventXML/SessionID

This field provides the Session ID, which can be used to correlate between other events in the same log provider.

System/Correlation ActivityID

Provides the ActivityID for the RDP session.

hashtag
Analysis Tips

circle-info

hashtag
Correlation by ActivityID

This event logs an ActivityID, available in the XML path System/Correlation ActivityID. This may be used to correlate activity between other events logged that are related to this activity, such as:

EventID 1149: User Authentication Succeeded

circle-info

hashtag
RDP Activity Timeline

Together with EventID 21: Session logon succeeded, by correlating the SessionID field of both events, one can determine the start and end time of an RDP session.

hashtag
Example

This example was produced on Windows 10, Version 10.0.19044 Build 19044</

Last updated