EventID 1149: User Authentication Succeeded
This event, logged to the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational
channel, is logged when an RDP connection is established.
Despite its name, this event does not indicate a successfully authenticated RDP session has taken place, only that the channel has been established for an RDP attempt to be made.
This event is logged on the destination endpoint.
Analysis Value
Operating System Availability
Artifact Location(s)
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
Artifact Interpretation
Analysis Tips
Correlation by ActivityID
This event logs an ActivityID, available in the XML path System/Correlation ActivityID
. This may be used to correlate activity between other events logged that are related to this activity, such as:
This event is logged regardless of success or failure of the RDP session, and must be cross-referenced with other events such as:
Example
This example was produced on Windows 10, Version 10.0.19044 Build 19044
Last updated