# EventID 1149: User Authentication Succeeded

This event, logged to the `Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational` channel, is logged when an RDP connection is established.

{% hint style="danger" %}
Despite its name, this event does not indicate a successfully authenticated RDP session has taken place, only that the channel has been established for an RDP attempt to be made.
{% endhint %}

{% hint style="info" %}
This event is logged on the **destination** endpoint.
{% endhint %}

## Analysis Value

{% content-ref url="/pages/xb2jtwMPGcVKWaKDBigr" %}
[Username](/windows-forensics/artifacts-by-activity/account-activity/username.md)
{% endcontent-ref %}

{% content-ref url="/pages/vyOW1UW4D6MtZx1ltSwW" %}
[Evidence of Network Activity](/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity.md)
{% endcontent-ref %}

{% content-ref url="/pages/T5a0mfe6TprUne1T4K7M" %}
[Source Identification](/windows-forensics/artifacts-by-activity/network-activity/source-identification.md)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ✅       | Server 2003   | ❌       |
| Windows XP    | ❌       |               |         |

## Artifact Location(s)

* `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`

## Artifact Interpretation

| Field                           | Interpretation                                                    | Reference                                                                                                   |
| ------------------------------- | ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| `UserData/EventXML/Param1`      | This field logs only the username and domain for the RDP session. | [Username](/windows-forensics/artifacts-by-activity/account-activity/username.md)                           |
| `UserData/EventXML/Param3`      | This field provides the **source** IP address of an RDP session.  | [Source Identification](/windows-forensics/artifacts-by-activity/network-activity/source-identification.md) |
| `System/Correlation ActivityID` | Provides the ActivityID for the RDP session.                      |                                                                                                             |

## Analysis Tips

{% hint style="info" %}

### Correlation by ActivityID

This event logs an ActivityID, available in the XML path `System/Correlation ActivityID`. This may be used to correlate activity between other events logged that are related to this activity, such as:

[EventID 21: Session logon succeeded](/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21.md)

[EventID 24: Session has been disconnected](/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24.md)
{% endhint %}

{% hint style="warning" %}
This event is logged regardless of success or failure of the RDP session, and must be cross-referenced with other events such as:

[EventID 21: Session logon succeeded](/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21.md)

[EventID 4624: An account was successfully logged on](/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon.md)
{% endhint %}

## Example

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{c76baa63-ae81-421c-b425-340b4b24157f}" /> 
  <EventID>1149</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x1000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-07-12T12:01:19.3418899Z" /> 
  <EventRecordID>241</EventRecordID> 
  <Correlation ActivityID="{f4206c2f-b0bf-4c54-aad2-c7d2769b0000}" /> 
  <Execution ProcessID="10680" ThreadID="14208" /> 
  <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel> 
  <Computer>HLPC01</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <UserData>
- <EventXML xmlns="Event_NS">
  <Param1>john.doe</Param1> 
  <Param2 /> 
  <Param3>192.168.180.57</Param3> 
  </EventXML>
  </UserData>
  </Event>
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.