EventID 24: Session has been disconnected
Last updated
Last updated
This event, logged to the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational channel, is logged when an RDP connection is terminated.
This event is logged on the destination endpoint.
| Major Version | Support | Major Version | Support |
|---|
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
This example was produced on Windows 10, Version 10.0.19044 Build 19044</
| Field | Interpretation | Reference |
|---|
Together with , by correlating the SessionID field of both events, one can determine the start and end time of an RDP session.
Windows 11 | ✅ | Server 2019 | ✅ |
Windows 10 | ✅ | Server 2016 | ✅ |
Windows 8 | ✅ | Server 2012 | ✅ |
Windows 7 | ✅ | Server 2008 | ✅ |
Windows Vista | ✅ | Server 2003 | ❌ |
Windows XP | ❌ |
| This field logs only the username and domain that the RDP connection had. |
| This field provides the source IP address of an RDP session. |
| This field provides the Session ID, which can be used to correlate between other events in the same log provider. |
| Provides the ActivityID for the RDP session. |