> For the complete documentation index, see [llms.txt](https://psmths.gitbook.io/windows-forensics/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149.md).

# EventID 1149: User Authentication Succeeded

This event, logged to the `Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational` channel, is logged when an RDP connection is established.

{% hint style="danger" %}
Despite its name, this event does not indicate a successfully authenticated RDP session has taken place, only that the channel has been established for an RDP attempt to be made.
{% endhint %}

{% hint style="info" %}
This event is logged on the **destination** endpoint.
{% endhint %}

## Analysis Value

{% content-ref url="/pages/xb2jtwMPGcVKWaKDBigr" %}
[Username](/windows-forensics/artifacts-by-activity/account-activity/username.md)
{% endcontent-ref %}

{% content-ref url="/pages/vyOW1UW4D6MtZx1ltSwW" %}
[Evidence of Network Activity](/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity.md)
{% endcontent-ref %}

{% content-ref url="/pages/T5a0mfe6TprUne1T4K7M" %}
[Source Identification](/windows-forensics/artifacts-by-activity/network-activity/source-identification.md)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ✅       | Server 2003   | ❌       |
| Windows XP    | ❌       |               |         |

## Artifact Location(s)

* `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx`

## Artifact Interpretation

| Field                           | Interpretation                                                    | Reference                                                                                                   |
| ------------------------------- | ----------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------- |
| `UserData/EventXML/Param1`      | This field logs only the username and domain for the RDP session. | [Username](/windows-forensics/artifacts-by-activity/account-activity/username.md)                           |
| `UserData/EventXML/Param3`      | This field provides the **source** IP address of an RDP session.  | [Source Identification](/windows-forensics/artifacts-by-activity/network-activity/source-identification.md) |
| `System/Correlation ActivityID` | Provides the ActivityID for the RDP session.                      |                                                                                                             |

## Analysis Tips

{% hint style="info" %}

### Correlation by ActivityID

This event logs an ActivityID, available in the XML path `System/Correlation ActivityID`. This may be used to correlate activity between other events logged that are related to this activity, such as:

[EventID 21: Session logon succeeded](/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21.md)

[EventID 24: Session has been disconnected](/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24.md)
{% endhint %}

{% hint style="warning" %}
This event is logged regardless of success or failure of the RDP session, and must be cross-referenced with other events such as:

[EventID 21: Session logon succeeded](/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21.md)

[EventID 4624: An account was successfully logged on](/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon.md)
{% endhint %}

## Example

```
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
  <Provider Name="Microsoft-Windows-TerminalServices-RemoteConnectionManager" Guid="{c76baa63-ae81-421c-b425-340b4b24157f}" /> 
  <EventID>1149</EventID> 
  <Version>0</Version> 
  <Level>4</Level> 
  <Task>0</Task> 
  <Opcode>0</Opcode> 
  <Keywords>0x1000000000000000</Keywords> 
  <TimeCreated SystemTime="2023-07-12T12:01:19.3418899Z" /> 
  <EventRecordID>241</EventRecordID> 
  <Correlation ActivityID="{f4206c2f-b0bf-4c54-aad2-c7d2769b0000}" /> 
  <Execution ProcessID="10680" ThreadID="14208" /> 
  <Channel>Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational</Channel> 
  <Computer>HLPC01</Computer> 
  <Security UserID="S-1-5-20" /> 
  </System>
- <UserData>
- <EventXML xmlns="Event_NS">
  <Param1>john.doe</Param1> 
  <Param2 /> 
  <Param3>192.168.180.57</Param3> 
  </EventXML>
  </UserData>
  </Event>
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044
