EventID – 39 ( Session has been disconnected by session ) – a user has disconnected from RDP session by selecting the corresponding menu option (instead of just closing the RDP client window).EventID – 25 ( Remote Desktop Services: Session reconnection succeeded) – a user has reconnected to the existing RDP session on the server.EventID – 24 ( Remote Desktop Services: Session has been disconnected) – a user has disconnected from the RDP session.Let’s consider the most interesting RDP events:
Microsoft remote desktop 10 import from 8 failed windows#
You can find these events in the logs located in “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”. Session Disconnect/Reconnect – session disconnection / reconnection events have different IDs depending on what caused user disconnection (disconnection to inactivity, Disconnect option has been selected by the user in the session, RDP session ended by another user or an administrator, etc.). The event with the EventID – 21 ( Remote Desktop Services: Shell start notification received) means that the Explorer shell has been successfully started (the desktop appears in the user’s RDP session). As you can see, the logs provide a username, a domain (in this case the Network Level Authentication is used if NLA is disabled, the event text looks differently) and the IP address of the computer, from which the RDP connection has been initiated. Then you will get an event list with the history of all RDP connections to this server. Enable the log filter for this event (right-click the log -> Filter Current Log -> EventId 1149). This log is located in “Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational”. If this event is found, it doesn’t mean that user authentication has been successful. It is the event with the EventID 1149 ( Remote Desktop Services: User authentication succeeded). Network Connection is the establishment of a network connection to a server from a user RDP client. We’ll look at the logs and events on the main stages of an RDP connection that may be of interest to the administrator: There are several different logs where you can find the information about Remote Desktop connections.
When a user remotely connects to the remote desktop of RDS (RDP), a whole number of events appears in the Windows Event Viewer. Windows logs contain a lot of data, and it is quite difficult to find the event you need. You can check the RDP connection logs using Windows Event Viewer ( eventvwr.msc). The article is applicable when analyzing RDP logs both in Windows Server 2008 R2, 2012/R2, 2016 and in desktop Windows editions (Windows 10, 8.1 and 7).