# EventID 1024: RDP ClientActiveX is trying to connect to the server

This event, logged to the `TerminalServices-RDPClient/Operational` channel, is logged when an RDP session is attempted to a remote endpoint.

{% hint style="info" %}
This event is logged on the **source** endpoint.
{% endhint %}

## Analysis Value

{% content-ref url="/pages/qnouj5GLuiwXN3ZPDBUb" %}
[Parent and Child Information](/windows-forensics/artifacts-by-activity/execution/parent-and-child-information.md)
{% endcontent-ref %}

{% content-ref url="/pages/LRJZQZsAd12i4mDfGwuK" %}
[Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md)
{% endcontent-ref %}

{% content-ref url="/pages/vyOW1UW4D6MtZx1ltSwW" %}
[Evidence of Network Activity](/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity.md)
{% endcontent-ref %}

{% content-ref url="/pages/pD9PmWKLXCWnvIZcuiXo" %}
[Destination Identification](/windows-forensics/artifacts-by-activity/network-activity/destination-identification.md)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ✅       | Server 2003   | ❌       |
| Windows XP    | ❌       |               |         |

## Artifact Location(s)

* `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx`

## Artifact Interpretation

This artifact can provide the **destination** IP address (or hostname) of an *attempted* RDP session. It will also provide the SID of the user who initiated the *attempted* connection, as well as the ProcessID associated with this activity.

{% hint style="warning" %}
This event is logged regardless of success or failure of the RDP session, and must be cross-referenced with other events such as [EventID 4624: An account was successfully logged on](/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon.md)on the destination host.
{% endhint %}

If available, a successful RDP authentication is indicated by the event ID `TerminalServices-RDPClient/Operational/1027: Connected to domain`. To correlate these two Event IDs, compare their `Correlation ActivityID` field values.

When the RDP session is ended, either due to a failure to connect, a failure to successfully authenticate, or a manual close of the session, `TerminalServices-RDPClient/Operational/1105: The multi-transport connection has been disconnected` and `TerminalServices-RDPClient/Operational/1026: RDP ClientActiveX has been disconnected` should be logged, and is likewise able to be correlated by its `Correlation ActivityID` field. This allows for determining a time span during which an RDP session was in progress.

## Example

In the following example, the user with SID `S-1-5-21-3471133136-2963561160-3931775028-1001` attempted to RDP to a system at IP address `192.168.116.74`. The connection was not successful, resulting in `TerminalServices-RDPClient/Operational/1026: RDP ClientActiveX has been disconnected` being logged with the same `Correlation ActivityID` value of `{780cf827-0ed1-4f4b-924c-3b14e7660000}`.

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-ClientActiveXCore" Guid="{28aa95bb-d444-4719-a36f-40462168127e}" /> 
  <EventID>1024</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>101</Task> 
  <Opcode>10</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-07-14T14:06:31.9398747Z" /> 
  <EventRecordID>1641</EventRecordID> 
  <Correlation ActivityID="{780cf827-0ed1-4f4b-924c-3b14e7660000}" /> 
  <Execution ProcessID="11136" ThreadID="3624" /> 
  <Channel>Microsoft-Windows-TerminalServices-RDPClient/Operational</Channel> 
  <Computer>HLPC01</Computer> 
  <Security UserID="S-1-5-21-3471133136-2963561160-3931775028-1001" /> 
  </System>
- <EventData>
  <Data Name="Name">Server Name</Data> 
  <Data Name="Value">192.168.116.74</Data> 
  <Data Name="CustomLevel">Info</Data> 
  </EventData>
  </Event>
```

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-ClientActiveXCore" Guid="{28aa95bb-d444-4719-a36f-40462168127e}" /> 
  <EventID>1026</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>101</Task> 
  <Opcode>11</Opcode> 
  <Keywords>0x4000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-07-14T14:06:33.6543161Z" /> 
  <EventRecordID>1643</EventRecordID> 
  <Correlation ActivityID="{780cf827-0ed1-4f4b-924c-3b14e7660000}" /> 
  <Execution ProcessID="11136" ThreadID="3624" /> 
  <Channel>Microsoft-Windows-TerminalServices-RDPClient/Operational</Channel> 
  <Computer>HLPC01</Computer> 
  <Security UserID="S-1-5-21-3471133136-2963561160-3931775028-1001" /> 
  </System>
- <EventData>
  <Data Name="Name">Disconnect Reason</Data> 
  <Data Name="Value">1</Data> 
  <Data Name="CustomLevel">Info</Data> 
  </EventData>
  </Event>
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.