EventID 24: Session has been disconnected
This event, logged to the Microsoft-Windows-TerminalServices-LocalSessionManager/Operational channel, is logged when an RDP connection is terminated.
This event is logged on the destination endpoint.
Analysis Value
UsernameEvidence of Network ActivitySource IdentificationOperating System Availability
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
✅
Server 2003
❌
Windows XP
❌
Artifact Location(s)
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
Artifact Interpretation
UserData/EventXML/User
This field logs only the username and domain that the RDP connection had.
UserData/EventXML/Address
This field provides the source IP address of an RDP session.
UserData/EventXML/SessionID
This field provides the Session ID, which can be used to correlate between other events in the same log provider.
System/Correlation ActivityID
Provides the ActivityID for the RDP session.
Analysis Tips
Correlation by ActivityID
This event logs an ActivityID, available in the XML path System/Correlation ActivityID. This may be used to correlate activity between other events logged that are related to this activity, such as:
RDP Activity Timeline
Together with EventID 21: Session logon succeeded, by correlating the SessionID field of both events, one can determine the start and end time of an RDP session.
Example
This example was produced on Windows 10, Version 10.0.19044 Build 19044</
Last updated