EventID 1149: User Authentication Succeeded

This event, logged to the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational channel, is logged when an RDP connection is established.

Despite its name, this event does not indicate a successfully authenticated RDP session has taken place, only that the channel has been established for an RDP attempt to be made.

This event is logged on the destination endpoint.

Analysis Value

UsernameEvidence of Network ActivitySource Identification

Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

Server 2008

Windows Vista

Server 2003

Windows XP

Artifact Location(s)

  • %SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx

Artifact Interpretation

Field
Interpretation
Reference

UserData/EventXML/Param1

This field logs only the username and domain for the RDP session.

Username

UserData/EventXML/Param3

This field provides the source IP address of an RDP session.

Source Identification

System/Correlation ActivityID

Provides the ActivityID for the RDP session.

Analysis Tips

Correlation by ActivityID

This event logs an ActivityID, available in the XML path System/Correlation ActivityID. This may be used to correlate activity between other events logged that are related to this activity, such as:

EventID 21: Session logon succeeded

EventID 24: Session has been disconnected

This event is logged regardless of success or failure of the RDP session, and must be cross-referenced with other events such as:

EventID 21: Session logon succeeded

EventID 4624: An account was successfully logged on

Example

- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{c76baa63-ae81-421c-b425-340b4b24157f}" /> 
  <EventID>1149</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x1000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-07-12T12:01:19.3418899Z" /> 
  <EventRecordID>241</EventRecordID> 
  <Correlation ActivityID="{f4206c2f-b0bf-4c54-aad2-c7d2769b0000}" /> 
  <Execution ProcessID="10680" ThreadID="14208" /> 
  <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel> 
  <Computer>HLPC01</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <UserData>
- <EventXML xmlns="Event_NS">
  <Param1>john.doe</Param1> 
  <Param2 /> 
  <Param3>192.168.180.57</Param3> 
  </EventXML>
  </UserData>
  </Event>

This example was produced on Windows 10, Version 10.0.19044 Build 19044

Last updated