EventID 1149: User Authentication Succeeded
Last updated
Last updated
This event, logged to the Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational channel, is logged when an RDP connection is established.
Despite its name, this event does not indicate a successfully authenticated RDP session has taken place, only that the channel has been established for an RDP attempt to be made.
This event is logged on the destination endpoint.
| Major Version | Support | Major Version | Support |
|---|---|---|---|
%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx
This event logs an ActivityID, available in the XML path System/Correlation ActivityID. This may be used to correlate activity between other events logged that are related to this activity, such as:
This event is logged regardless of success or failure of the RDP session, and must be cross-referenced with other events such as:
This example was produced on Windows 10, Version 10.0.19044 Build 19044
| Field | Interpretation | Reference |
|---|---|---|
UserData/EventXML/Param1
This field logs only the username and domain for the RDP session.
UserData/EventXML/Param3
This field provides the source IP address of an RDP session.
System/Correlation ActivityID
Provides the ActivityID for the RDP session.
Windows 11
✅
Server 2019
✅
Windows 10
✅
Server 2016
✅
Windows 8
✅
Server 2012
✅
Windows 7
✅
Server 2008
✅
Windows Vista
✅
Server 2003
❌
Windows XP
❌