Windows RDP Event IDs Cheatsheet

0
Simple Guidance For You In Windows RDP Event IDs Cheatsheet.

It is becoming more and more common for bad actors to manipulate or clear the security event logs on compromised machines, and sometimes RDP sessions don’t even register as just a type 10 logon, depending on the circumstance. RDP activities will leave events in several different logs as action is taken and various processes are involved.

RDP Event IDs , Description and Event specifications:

Event IDs  DescriptionEvent LocationEvent specificationsWin 10 Win 8.1 Win 7 Win 2008 Win 2012 Win 2016
21Remote Desktop Services:
Session Logon
Succeeded
Microsoft-Windows-
TerminalServices-LocalSesssionManager
%4Operational.evtx
LogonYesYesYesYesYesYes
22Remote Desktop Services:
Shell start notification
received
Microsoft-Windows-TerminalServices-LocalSesssionManager
%4Operational.evtx
LogonYesYesYesYesYesYes
23Remote Desktop Services:
Session Logoff
Succeeded
Microsoft-Windows-TerminalServices-LocalSesssionManager %4Operational.evtxProcess termination YesYesYesYesYesYes
24Remote Desktop Services:
Session has been
disconnected
Microsoft-Windows-TerminalServices-LocalSesssionManager %4Operational.evtxTerminal Service – Local
Session 
YesYesYesYesYesYes
25Remote Desktop Services:
Session Reconnection
Succeeded
Microsoft-Windows-TerminalServices-LocalSesssionManager
%4Operational.evtx
Terminal
Service – Local Session 
YesYesYesYesYesYes
39Session <X> has been disconnected by session <Y>Microsoft-Windows-TerminalServices-LocalSesssionManager
%4Operational.evtx
Session Disconnect or ReconnectYesYesYesYesYesYes
40Session <x> has been disconnected reason code <z>Microsoft-Windows-TerminalServices-LocalSesssionManager
%4Operational.evtx
Session Disconnect
or Reconnect
YesYesYesYesYesYes
98A TCP Connection has been successfully established Application and Services Logs \ Microsoft \ Windows \ RemoteDesktopServices-RDPCoreTS \OperationalYesYes
131The server accepted a new TCP connection from client <ipAddress>Application and Services Logs \ Microsoft \ Windows \ RemoteDesktopServices-RDPCoreTS \OperationalYesYesYes
140Connection failed; bad username or password Application and Services Logs \ Microsoft \ Windows \ RemoteDesktopServices-RDPCoreTS \OperationalYesYesYes
226RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting
in response to TsSslEventHandshakeContinueFailed (error code 0x80004005)
Microsoft-Windows-TerminalServices-RDPClient/OperationalRDP State Transition Yes
261Listener RDP-Tcp received a connection Application and Services Logs \ Microsoft \ Windows \ TerminalServices-RemoteConnectionManager\
Operational
Terminal
Service – Remote Connection 
YesYesYes
1024The Client has initiated a multi-transport connection to the server ()Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
Connection Sequence YesYesYes
1025RDP ClientActiveX has connected to the server.Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
Connection Sequence YesYesYes
1026RDP ClientActiveX has been disconnected (Reason= <no.>)Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
Connection Sequence YesYesYes
1027Connected to domain (SERVER-xx) with session <X>Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
Connection Sequence Yes
1028The server supports SSL = supportedApplication and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
Connection Sequence YesYesYes
1029Base64(SHA256(UserName)) is = [BASE64 Encoded SHA256 Hash Value of User Name]Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
Connection Sequence YesYesYes
1102The Client has initiated a multi-transport connection to the server <ipAddress>Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
Connection Sequence YesYesYesYesYesYes
1103The client has established a multi-transport connection to the serverApplication and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\T
erminalServices-RDPClient\Operational  
Connection Sequence Yes
1105The multi-transport connection has been disconnected.Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
Connection Sequence YesYesYesYesYesYes
1149User Authentication SucceededApplication and Services Logs \ Microsoft \ Windows \ TerminalServices-RemoteConnectionManager\
Operational
Network Connection YesYesYesYesYesYes
1158Remote Desktop Services accepted a connection from IP address <ipAddress>Application and Services Logs \ Microsoft \ Windows \ TerminalServices-RemoteConnectionManager\
Operational
Terminal
Service – Remote Connection 
Yes
1401The server is using version 0xA0502 of the RDP graphics protocol
(client mode: 0, AVC available: 1)
Application and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
RDP Client Pipeline workspace Yes
1403The client is using software memory for the frame bufferApplication and Services Logs \ Microsoft \ Windows \ TerminalServices-ClientActiveXCore\
TerminalServices-RDPClient\Operational  
RDP Client Pipeline workspace Yes
4624An account was Successfully Logged On%SystemRoot%\System32\
Winevt\Logs\Security.evtx
Authentication YesYesYesYesYesYes
4625An Account Failed to Logon %SystemRoot%\System32\
Winevt\Logs\Security.evtx
Authentication YesYesYesYesYesYes
4634An Account was Logged Off %SystemRoot%\System32\
Winevt\Logs\Security.evtx
LogoffYesYesYesYesYesYes
4647User Initiated Logoff%SystemRoot%\System32\
Winevt\Logs\Security.evtx
LogoffYesYesYesYesYesYes
4648A logon was attempted using Explicit Credentials %SystemRoot%\System32\
Winevt\Logs\Security.evtx
LogonYesYesYesYesYesYes
4656A handle to an object was requested %SystemRoot%\System32\
Winevt\Logs\Security.evtx
File System YesYesYesYesYesYes
4658The handle to an object was closed %SystemRoot%\System32\
Winevt\Logs\Security.evtx
File System YesYesYesYesYesYes
4663An Attempt was made to access an object%SystemRoot%\System32\
Winevt\Logs\Security.evtx
File System YesYesYesYesYesYes
4688A new process has been created %SystemRoot%\System32\
Winevt\Logs\Security.evtx
Process Creation YesYesYesYesYesYes
4689A process has exited %SystemRoot%\System32\
Winevt\Logs\Security.evtx
Process terminationYesYesYesYesYesYes
4778A Session was Reconnected from a Window Station%SystemRoot%\System32\
Winevt\Logs\Security.evtx
Other Logon/ Logoff YesYesYesYesYesYes
4779A Session was Disconnected from a Window Station%SystemRoot%\System32\
Winevt\Logs\Security.evtx
Other Logon/ Logoff YesYesYesYesYesYes
5058Key File Operation%SystemRoot%\System32\
Winevt\Logs\Security.evtx
Other System EventsYesYesYesYesYesYes
5059Key Migration Operation %SystemRoot%\System32\
Winevt\Logs\Security.evtx
Other System EventsYesYesYesYesYesYes
5061Cryptographic Operation %SystemRoot%\System32\
Winevt\Logs\Security.evtx
System Integrity YesYesYesYesYesYes
5156The Windows Filtering Platform has allowed a connection %SystemRoot%\System32\
Winevt\Logs\Security.evtx
Filtering Platform connection YesYesYesYesYesYes
5158The Windows Filtering Platform has permitted a bind to a local port %SystemRoot%\System32\
Winevt\Logs\Security.evtx
Filtering Platform connection YesYesYesYesYesYes
9009The Desktop Window Manager has exited with code(<X>)%SystemRoot%\System32\
Winevt\Logs\System.evtx
Desktop Windows Manager YesYesYesYesYesYes

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Event IDs with Reason Code :

Above illustrated image: Event ID 40 with reason code 12 ( Session has disconnected and The user logged off, disconnecting the session )

Also Read: Soc Interview Questions and Answers – CYBER SECURITY ANALYST

Code Description
0No additional information is available
1An application initiated the disconnection
2An application logged off the client
3The server has disconnected the client because
the client has been idle for a period of time longer than the designated time-out period
4The server has disconnected the client because
the client has exceeded the period designated for connection
5The client’s connection was replaced by another connection
6No memory is available
7The server denied the connection
8The server denied the connection for security reasons
9The server denied the connection for security reasons
10Fresh credentials are required
11User activity has initiated the disconnect
12“The user logged off, disconnecting the session.”
256Internal licensing error
257No license server was available
258No valid software license was available
259The remote computer received a licensing message that was not valid
260The hardware ID does not match the one designated on the software license
261Client license error
262Network problems occurred during the licensing protocol.
263The client ended the licensing protocol prematurely.
264A licensing message was encrypted incorrectly.
265The local computer’s client access license could not be upgraded or renewed.
266The remote computer is not licensed to accept remote connections.
267An access denied error was received while creating a registry key for the license store.
768Invalid credentials were encountered.

For RDP Success refer the Event ID 4624 Logon Type from the below table to identify the Logon Service/Mode

Event ID 4624 – An account logon type

Logon TypeLogon TitleDescription
2InteractiveA user logged on to this computer
3NetworkA user or computer logged on to this computer from the network
4BatchBatch logon type is used by batch servers, where processes may be executing on behalf of a user without their direct intervention
5ServiceA service was started by the Service Control Manager
7UnlockThis workstation was unlocked
8Network CleartextA user logged on to this computer from the network. The user’s password was passed to the authentication package in its unlashed form. The built-in authentication packages all hash credentials before sending them across the network. The credentials do not traverse the network in plaintext (also called cleartext)
9New CredentialsA caller cloned its current token and specified new credentials for outbound connections. The new logon session has the same local identity, but uses different credentials for other network connections
10Remote InteractiveA user logged on to this computer remotely using Terminal Services or Remote Desktop
11Cached InteractiveA user logged on to this computer with network credentials that were stored locally on the computer. The domain controller was not contacted to verify the credentials

For RDP Failure refer the Event ID 4625 Status Code from the below table to determine the Logon Failure reason

Event ID 4625 – Status Code for an account to get failed during logon process

Status\Sub-Status CodeDescription
0XC000005EThere are currently no logon servers available to service the logon request
0xC0000064User logon with misspelled or bad user account
0xC000006AUser logon with misspelled or bad password
0XC000006DThe cause is either a bad username or authentication information
0XC000006EIndicates a referenced user name and authentication information are valid, but some user account restriction has prevented successful authentication (such as time-of-day restrictions)
0xC000006FUser logon outside authorized hours
0xC0000070User logon from unauthorized workstation
0xC0000071User logon with expired password
0xC0000072User logon to account disabled by administrator
0XC00000DCIndicates the Sam Server was in the wrong state to perform the desired operation
0XC0000133Clocks between DC and other computer too far out of sync
0XC000015BThe user has not been granted the requested logon type (also called the logon right) at this machine
0XC000018CThe logon request failed because the trust relationship between the primary domain and the trusted domain failed
0XC0000192An attempt was made to logon, but the Net Logon service was not started
0xC0000193User logon with expired account
0XC0000224User is required to change password at next logon
0XC0000225Evidently a bug in Windows and not a risk
0xC0000234User logon with account locked
0XC00002EEFailure Reason: An Error occurred during Logon
0XC0000413Logon Failure: The machine you are logging on to is protected by an authentication firewall. The specified account is not allowed to authenticate to the machine
0x0Status OK

Also Read: How DNS Tunneling works – Detection & Response

References

  1. https://www.13cubed.com/downloads/rdp_flowchart.pdf
  2. https://ponderthebits.com/category/remote-desktop/
  3. https://community.spiceworks.com/topic/764914-remote-desktop-services-disconnect-code?page=1#entry-5456587
  4. https://frsecure.com/blog/rdp-connection-event-logs/
  5. https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/
  6. http://woshub.com/rdp-connection-logs-forensics-windows/
  7. https://docs.rackspace.com/support/how-to/rds-client-disconnected-codes-and-reasons/
  8. https://jpcertcc.github.io/ToolAnalysisResultSheet/
  9. https://nullsec.us/windows-rdp-related-event-logs-the-client-side-of-the-story/
  10. https://docs.microsoft.com/en-us/windows/security/threat-protection/auditing/event-4625
  11. https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/
  12. https://tranquilsec.com/rdp-vs-soc/
Previous articleThe Endpoint Security Checklist
Next articleAnatomy of the Infamous EMPIRE Powershell Framework

LEAVE A REPLY

Please enter your comment!
Please enter your name here