# EventID 1024: RDP ClientActiveX is trying to connect to the server

This event, logged to the `TerminalServices-RDPClient/Operational` channel, is logged when an RDP session is attempted to a remote endpoint.

{% hint style="info" %}
This event is logged on the **source** endpoint.
{% endhint %}

## Analysis Value

{% content-ref url="../../../artifacts-by-activity/execution/parent-and-child-information" %}
[parent-and-child-information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information)
{% endcontent-ref %}

{% content-ref url="../../../artifacts-by-activity/account-activity/security-identifier" %}
[security-identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier)
{% endcontent-ref %}

{% content-ref url="../../../artifacts-by-activity/network-activity/evidence-of-network-activity" %}
[evidence-of-network-activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity)
{% endcontent-ref %}

{% content-ref url="../../../artifacts-by-activity/network-activity/destination-identification" %}
[destination-identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/destination-identification)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ✅       | Server 2003   | ❌       |
| Windows XP    | ❌       |               |         |

## Artifact Location(s)

* `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`

## Artifact Interpretation

This artifact can provide the **destination** IP address (or hostname) of an *attempted* RDP session. It will also provide the SID of the user who initiated the *attempted* connection, as well as the ProcessID associated with this activity.

{% hint style="warning" %}
This event is logged regardless of success or failure of the RDP session, and must be cross-referenced with other events such as [evtx-4624-successful-logon](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon "mention")on the destination host.
{% endhint %}

If available, a successful RDP authentication is indicated by the event ID `TerminalServices-RDPClient/Operational/1027: Connected to domain`. To correlate these two Event IDs, compare their `Correlation ActivityID` field values.

When the RDP session is ended, either due to a failure to connect, a failure to successfully authenticate, or a manual close of the session, `TerminalServices-RDPClient/Operational/1105: The multi-transport connection has been disconnected` and `TerminalServices-RDPClient/Operational/1026: RDP ClientActiveX has been disconnected` should be logged, and is likewise able to be correlated by its `Correlation ActivityID` field. This allows for determining a time span during which an RDP session was in progress.

## Example

In the following example, the user with SID `S-1-5-21-3471133136-2963561160-3931775028-1001` attempted to RDP to a system at IP address `192.168.116.74`. The connection was not successful, resulting in `TerminalServices-RDPClient/Operational/1026: RDP ClientActiveX has been disconnected` being logged with the same `Correlation ActivityID` value of `{780cf827-0ed1-4f4b-924c-3b14e7660000}`.

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-ClientActiveXCore" Guid="{28aa95bb-d444-4719-a36f-40462168127e}" /> 
  <EventID>1024</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>101</Task> 
  <Opcode>10</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-07-14T14:06:31.9398747Z" /> 
  <EventRecordID>1641</EventRecordID> 
  <Correlation ActivityID="{780cf827-0ed1-4f4b-924c-3b14e7660000}" /> 
  <Execution ProcessID="11136" ThreadID="3624" /> 
  <Channel>Microsoft-Windows-TerminalServices-RDPClient/Operational</Channel> 
  <Computer>HLPC01</Computer> 
  <Security UserID="S-1-5-21-3471133136-2963561160-3931775028-1001" /> 
  </System>
- <EventData>
  <Data Name="Name">Server Name</Data> 
  <Data Name="Value">192.168.116.74</Data> 
  <Data Name="CustomLevel">Info</Data> 
  </EventData>
  </Event>
```

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-ClientActiveXCore" Guid="{28aa95bb-d444-4719-a36f-40462168127e}" /> 
  <EventID>1026</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>101</Task> 
  <Opcode>11</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-07-14T14:06:33.6543161Z" /> 
  <EventRecordID>1643</EventRecordID> 
  <Correlation ActivityID="{780cf827-0ed1-4f4b-924c-3b14e7660000}" /> 
  <Execution ProcessID="11136" ThreadID="3624" /> 
  <Channel>Microsoft-Windows-TerminalServices-RDPClient/Operational</Channel> 
  <Computer>HLPC01</Computer> 
  <Security UserID="S-1-5-21-3471133136-2963561160-3931775028-1001" /> 
  </System>
- <EventData>
  <Data Name="Name">Disconnect Reason</Data> 
  <Data Name="Value">1</Data> 
  <Data Name="CustomLevel">Info</Data> 
  </EventData>
  </Event>
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044