Microsoft-Windows-RemoteDesktopServices-RdpCoreTS

89 events across 3 channels

Event ID	Title	Channel
1	The RDP Graphics module failed to initialize.	Admin
2	Remote Desktop Protocol will use the RDP Graphics module to connect to the …	Admin
3	The RemoteFX module failed to initialize.	Admin
4	The RemoteFX module failed to initialize.	Admin
5	The client computer does not support RemoteFX.	Admin
6	The resolution requested by the remote client is not supported by RemoteFX.	Admin
7	The resolution requested by the remote client could not be set.	Admin
8	Module terminated.	Admin
33	Remote Desktop Protocol will use the RemoteFX guest mode module to connect to …	Operational
34	Remote Desktop Protocol will use the RemoteFX host mode module to connect to the …	Operational
35	Unable to initialize the RemoteFX host mode module.	Admin
36	Unable to initialize the RemoteFX host mode module.	Admin
37	The display resolution requested by the remote client is not supported by …	Operational
38	The display resolution requested by the remote client could not be enabled.	Operational
65	Connection %1 created.	Operational
66	The connection %1 was assigned to session %2.	Operational
67	The RemoteFX protocol connection %1 encountered an error (%2).	Operational
68	TMT: ConnectionName=.	Operational
69	Listener %1 is loaded.	Operational
70	The listener listens with display driver %1 available.	Operational
71	The connection %1 uses display driver %2.	Operational
72	Interface method called.	Operational
73	Inner encryption disabled?	Operational
97	The RDP protocol component %1 detected an error (%2) in the protocol stream and …	Operational
98	A TCP connection has been successfully established.	Operational
99	The TCP connection has failed with the error code %1.	Operational
100	The server has confirmed that the client's multi-transport capability.	Operational
101	The network characteristics detection function has been disabled because of %1.	Operational
102	The server has terminated main RDP connection with the client.	Operational
103	The disconnect reason is %1.	Operational
104	Client timezone is %1 hour from UTC.	Operational
105	The server's security layer setting allows it to use native RDP encryption, …	Admin
106	Disconnect initiated by server; forcing an AutoReconnect since listener is …	Operational
107	Received Disconnect Provider Indication from the client.	Operational
129	The server is using %1 to bind to port %2.	Operational
130	The server has initiated a multi-transport request to the client, for tunnel.	Operational
131	The server accepted a new %1 connection from client %2.	Operational
132	A channel %1 has been connected between the server and the client using …	Operational
133	The following network characteristics have been detected for tunnel %1; Link …	Operational
134	Link latency and bandwidth could not be detected for tunnel %2.	Operational
135	The multi-transport connection finished for tunnel: %1, its transport type set …	Operational
136	Unable to establish a multi-transport connection; the connection will use TCP.	Operational
137	The following network characteristics have been detected for tunnel %1; Link …	Operational
138	The DTLS initialization failed with the error code %1, TLS will be used instead.	Admin
139	The server security layer detected an error (%1) in the protocol stream and the …	Operational
140	A connection from the client computer with an IP address of %1 failed because …	Operational
141	PerfCounter session started with instance ID %1.	Operational
142	TCP socket READ operation failed, error %1.	Operational
143	TCP socket WRITE operation failed, error %1.	Operational
144	TCP socket was gracefully terminated	Operational
145	During this connection, server has not sent data or graphics update for %1 …	Operational
146	AutoReconnect failed with error %1.	Operational
147	LogonUserExEx failed with error %1.	Operational
148	Channel %1 has been closed between the server and the client on transport …	Operational
149	Logon certificate sent by client did not pass validation.	Operational
150	Long delay experienced while flushing data to the network.	Debug
151	In the past %1 ms, %2 heartbeats were sent to the client.	Debug
152	Timestamp: %1 ms, heartbeats sent: %2, data packet last sent: %3 ms, heartbeat …	Debug
153	Session negotiated TLS version %1.	Debug
154	%1.	Operational
155	RDP Diagnostic Heartbeat	Debug
161	The RemoteFX encoding engine encountered an error.	Operational
162	The client supports version %1 of the RDP graphics protocol, client mode: %2, …	Operational
163	The client supports RDP 7.	Operational
164	The client advertised protocol configurations which are not supported by the …	Operational
165	RDP RemoteFX graphics encoding is enabled.	Operational
166	The RemoteFX Adaptive Graphics internal configuration changed to optimize for …	Operational
167	The RemoteFX Adaptive Graphics internal configuration changed to optimize for …	Operational
168	The resolution requested by the client: Monitor %1: (%2, %3), origin: (%4, %5).	Operational
169	The client operating system type is (%1, %2).	Operational
170	AVC hardware encoder enabled: %1, encoder name is %2.	Operational
171	The client is uncapable to support screen capture protection feature.	Operational
172	The client is uncapable to support watermarking feature.	Operational
193	The RemoteFX Media Remoting is not supported by the client.	Operational
194	The RemoteFX Media Remoting is not supported by the current server …	Operational
195	The RemoteFX Media Remoting module encountered an error.	Operational
225	%1: Transitioned successfully from %3 to %5 in response to %7.	Debug
226	%1: An error was encountered when transitioning from %3 in response to %7 (error …	Operational
227		Operational
228	Disconnect trace:%1 %2, Error code:%3.	Operational
229		Operational
257	The connection is using advanced RemoteFX RemoteApp graphics.	Operational
258	The connection is not using advanced RemoteFX RemoteApp graphics	Operational
289	Got UDP reverse connect request to %1 port %2 connection id %3.	Operational
290	UDP reverse connect successful.	Operational
291	UDP reverse connect failed with error %1.	Operational
292	Multi transport listener NOT initialized.	Operational
293	Multi transport listener initialized.	Operational
294	Reverse UDP connect is disabled by SxS registry settings.	Operational

Event ID 1 — The RDP Graphics module failed to initialize.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

The RDP Graphics module failed to initialize. Verify that the server is correctly configured. A restart of the system may be needed. The relevant status error code was %1.

Fields

Name	Description
`HresultCode`	—

Event ID 2 — Remote Desktop Protocol will use the RDP Graphics module to connect to the client computer.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

Remote Desktop Protocol will use the RDP Graphics module to connect to the client computer. The RDP Graphics module is being used based on the server configuration, client configuration, and network connection.

Event ID 3 — The RemoteFX module failed to initialize.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

The RemoteFX module failed to initialize. Verify that the server is correctly configured. A restart of the system may be needed. The relevant status code was %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 4 — The RemoteFX module failed to initialize.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

The RemoteFX module failed to initialize. Verify that the server is correctly configured. A restart of the system may be needed. The relevant status code was %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 5 — The client computer does not support RemoteFX.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

The client computer does not support RemoteFX. The connection will be made with the RDP Graphics. The relevant status code was %1.

Fields

Name	Description
`StatusCode`	—

Event ID 6 — The resolution requested by the remote client is not supported by RemoteFX.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

The resolution requested by the remote client is not supported by RemoteFX. The connection will be made with RemoteFX using a supported resolution. Resolution requested by the client: Monitors %1: %2. Resolution applied: %3.

Fields

Name	Description
`NumMonitors`	—
`RequestedMode`	—
`AppliedMode`	—

Event ID 7 — The resolution requested by the remote client could not be set.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

The resolution requested by the remote client could not be set. The default resolution will be set for the RemoteFX session. The server may be experiencing high load or require a restart.

Event ID 8 — Module terminated.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

Module terminated.

Event ID 33 — Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer.

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 33
  version: 0
  level: 4
  task: 4
  opcode: 11
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:46.553439Z'
  event_record_id: 898
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 6776
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 34 — Remote Desktop Protocol will use the RemoteFX host mode module to connect to the client computer.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Remote Desktop Protocol will use the RemoteFX host mode module to connect to the client computer.

Event ID 35 — Unable to initialize the RemoteFX host mode module.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

Unable to initialize the RemoteFX host mode module. Restart the computer to resolve the issue. If the issue is not resolved, verify the computer configuration.. The error code is %1.

Fields

Name	Description
`HresultCode`	—

Event ID 36 — Unable to initialize the RemoteFX host mode module.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

Unable to initialize the RemoteFX host mode module. Restart the computer to resolve the issue. If the issue is not resolved, verify the computer configuration.. The error code is %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 37 — The display resolution requested by the remote client is not supported by RemoteFX host mode module.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The display resolution requested by the remote client is not supported by RemoteFX host mode module. The resolution requested by the client: Monitors %1: %2. Resolution applied: %3.

Fields

Name	Description
`NumMonitors`	—
`RequestedMode`	—
`AppliedMode`	—

Event ID 38 — The display resolution requested by the remote client could not be enabled.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The display resolution requested by the remote client could not be enabled. The default resolution will be enabled for the RemoteFX session. The server may be experiencing high load

Event ID 65 — Connection %1 created.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

Connection %1 created

Fields

Name	Description
`ConnectionName`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 65
  version: 0
  level: 4
  task: 4
  opcode: 13
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:28.546169Z'
  event_record_id: 846
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 1660
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ConnectionName: RDP-Tcp#5

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 66 — The connection %1 was assigned to session %2.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The connection %1 was assigned to session %2

Fields

Name	Description
`ConnectionName`	—
`SessionID`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 66
  version: 0
  level: 4
  task: 4
  opcode: 13
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:46.547380Z'
  event_record_id: 897
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 6776
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ConnectionName: RDP-Tcp#7
  SessionID: 1

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 67 — The RemoteFX protocol connection %1 encountered an error (%2).

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The RemoteFX protocol connection %1 encountered an error (%2)

Fields

Name	Description
`ConnectionName`	—
`ErrorCode`	—

Event ID 68 — TMT: ConnectionName=.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

TMT: ConnectionName=%1, PromptForCredentials=%2, PromptForCredentialsDone=%3, GfxChannelOpened=%4, FirstGraphicsReceived=%5 [ms]

Fields

Name	Description
`ConnectionName`	—
`PromptForCredentials`	—
`PromptForCredentialsDone`	—
`GfxChannelOpened`	—
`FirstGraphicsReceived`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 68
  version: 0
  level: 4
  task: 4
  opcode: 13
  keywords: 4611686018427387904
  time_created: '2020-11-13T11:09:15.885301Z'
  event_record_id: 12592
  correlation:
    '#attributes':
      ActivityID: AF159B2D-D587-4709-AB35-F167130B0000
  execution:
    process_id: 388
    thread_id: 8512
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ConnectionName: RDP-Tcp#0
  PromptForCredentials: 0
  PromptForCredentialsDone: 0
  GfxChannelOpened: 8266
  FirstGraphicsReceived: 10672

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 69 — Listener %1 is loaded.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Listener %1 is loaded

Fields

Name	Description
`ModuleName`	—

Event ID 70 — The listener listens with display driver %1 available.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The listener listens with display driver %1 available.

Fields

Name	Description
`DisplayDriverName`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 70
  version: 0
  level: 4
  task: 4
  opcode: 13
  keywords: 4611686018427387904
  time_created: '2019-08-28T03:36:49.826774Z'
  event_record_id: 979
  correlation:
    '#attributes':
      ActivityID: F4624E4C-DF38-4BB3-A4DB-3782C9880000
  execution:
    process_id: 480
    thread_id: 1196
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  DisplayDriverName: rdpudd.dll

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 71 — The connection %1 uses display driver %2.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The connection %1 uses display driver %2.

Fields

Name	Description
`ConnectionName`	—
`DisplayDriverName`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 71
  version: 0
  level: 4
  task: 4
  opcode: 13
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:45.622046Z'
  event_record_id: 886
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 7136
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ConnectionName: RDP-Tcp#7
  DisplayDriverName: RDPUDD

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 72 — Interface method called.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

Interface method called: %1

Fields

Name	Description
`Interface_method_called`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 72
  version: 0
  level: 4
  task: 4
  opcode: 13
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:28.548440Z'
  event_record_id: 847
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 6492
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  MethodName: PrepareForAccept

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 73 — Inner encryption disabled?

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Inner encryption disabled? %1

Fields

Name	Description
`Disabled`	—

Event ID 97 — The RDP protocol component %1 detected an error (%2) in the protocol stream and the client was disconnected.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The RDP protocol component %1 detected an error (%2) in the protocol stream and the client was disconnected.

Fields

Name	Description
`ComponentName`	—
`ErrorCode`	—

Event ID 98 — A TCP connection has been successfully established.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

A TCP connection has been successfully established.

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 98
  version: 0
  level: 4
  task: 4
  opcode: 15
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:45.624254Z'
  event_record_id: 891
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 1692
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 99 — The TCP connection has failed with the error code %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The TCP connection has failed with the error code %1.

Fields

Name	Description
`ResultCode`	—

Event ID 100 — The server has confirmed that the client's multi-transport capability.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The server has confirmed that the client's multi-transport capability.

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 100
  version: 0
  level: 4
  task: 4
  opcode: 15
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:45.624261Z'
  event_record_id: 892
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 1692
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 101 — The network characteristics detection function has been disabled because of %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 3
Samples: 1

Message

The network characteristics detection function has been disabled because of %1.

Fields

Name	Description
`ReasonString`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 101
  version: 0
  level: 3
  task: 4
  opcode: 16
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:45.621408Z'
  event_record_id: 880
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 7312
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ReasonString: 'Reason Code: 2(Server Configuration).'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 102 — The server has terminated main RDP connection with the client.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The server has terminated main RDP connection with the client.

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 102
  version: 0
  level: 4
  task: 4
  opcode: 17
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:34.852452Z'
  event_record_id: 854
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 1644
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 103 — The disconnect reason is %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The disconnect reason is %1

Fields

Name	Description
`ReasonCode`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 103
  version: 0
  level: 4
  task: 4
  opcode: 17
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:34.852505Z'
  event_record_id: 857
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 6492
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ReasonCode: 14

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 104 — Client timezone is %1 hour from UTC.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

Client timezone is %1 hour from UTC;

Fields

Name	Description
`TimezoneBiasHour`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 104
  version: 0
  level: 4
  task: 4
  opcode: 15
  keywords: 4611686018427387904
  time_created: '2020-07-09T19:47:00.719124Z'
  event_record_id: 1129
  correlation:
    '#attributes':
      ActivityID: F420CA7A-0E56-4135-8A7C-CE2182D30000
  execution:
    process_id: 476
    thread_id: 4152
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  TimezoneBiasHour: '[1]'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 105 — The server's security layer setting allows it to use native RDP encryption, which is no longer recommended.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

The server's security layer setting allows it to use native RDP encryption, which is no longer recommended. Consider changing the server security layer to require SSL. You can change this setting in Group Policy.

Event ID 106 — Disconnect initiated by server; forcing an AutoReconnect since listener is disabled.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Disconnect initiated by server; forcing an AutoReconnect since listener is disabled.

Event ID 107 — Received Disconnect Provider Indication from the client.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

Received Disconnect Provider Indication from the client.

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 107
  version: 0
  level: 4
  task: 4
  opcode: 17
  keywords: 4611686018427387904
  time_created: '2019-08-28T10:07:43.924049Z'
  event_record_id: 1066
  correlation:
    '#attributes':
      ActivityID: F4202795-713F-468C-BA0B-6C1C2F0C0000
  execution:
    process_id: 396
    thread_id: 1064
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 129 — The server is using %1 to bind to port %2.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The server is using %1 to bind to port %2.

Fields

Name	Description
`TransportProtocolName`	—
`Port`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 129
  version: 0
  level: 4
  task: 4
  opcode: 18
  keywords: 4611686018427387904
  time_created: '2019-08-28T03:36:49.907396Z'
  event_record_id: 980
  correlation:
    '#attributes':
      ActivityID: F4624E4C-DF38-4BB3-A4DB-3782C9880000
  execution:
    process_id: 480
    thread_id: 1196
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  TransportProtocolName: TCP
  Port: 3389

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 130 — The server has initiated a multi-transport request to the client, for tunnel.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The server has initiated a multi-transport request to the client, for tunnel: %1.

Fields

Name	Description
`The_server_has_initiated_a_multitransport_request_to_the_client_for_tunnel`	The server has initiated a multi-transport request to the client, for tunnel.

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 130
  version: 0
  level: 4
  task: 4
  opcode: 15
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:45.625322Z'
  event_record_id: 894
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 1692
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  TunnelID: 1

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 131 — The server accepted a new %1 connection from client %2.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The server accepted a new %1 connection from client %2.

Fields

Name	Description
`ConnType`	—
`ClientIP`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 131
  version: 0
  level: 4
  task: 4
  opcode: 15
  keywords: 4611686018427387904
  time_created: '2020-11-13T11:09:07.084053Z'
  event_record_id: 12551
  correlation:
    '#attributes':
      ActivityID: F4207C37-D7A8-4A5E-9A35-4E79CAA60000
  execution:
    process_id: 388
    thread_id: 1292
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ConnType: TCP
  ClientIP: 10.0.2.16:52202

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 132 — A channel %1 has been connected between the server and the client using transport tunnel: %2.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

A channel %1 has been connected between the server and the client using transport tunnel: %2.

Fields

Name	Description
`ChannelName`	—
`TunnelID`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 132
  version: 0
  level: 4
  task: 4
  opcode: 15
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:45.621433Z'
  event_record_id: 881
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 7312
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ChannelName: rdplic
  TunnelID: 0

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 133 — The following network characteristics have been detected for tunnel %1; Link latency : %2 milliseconds and Bandwidth: %3 kbps.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The following network characteristics have been detected for tunnel %1; Link latency : %2 milliseconds and Bandwidth: %3 kbps.

Fields

Name	Description
`TunnelID`	—
`RTT`	—
`Bandwidth`	—

Event ID 134 — Link latency and bandwidth could not be detected for tunnel %2.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Link latency and bandwidth could not be detected for tunnel %2.  The error code is %1. The following default network characteristics will be used;  Link latency: %3 milliseconds and Bandwidth:%4 kbps.

Fields

Name	Description
`ResultCode`	—
`TunnelID`	—
`RTT`	—
`Bandwidth`	—

Event ID 135 — The multi-transport connection finished for tunnel: %1, its transport type set to %2.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The multi-transport connection finished for tunnel: %1, its transport type set to %2.

Fields

Name	Description
`The_multitransport_connection_finished_for_tunnel`	The multi-transport connection finished for tunnel.

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 135
  version: 0
  level: 4
  task: 4
  opcode: 15
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:45.624288Z'
  event_record_id: 893
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 1692
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  TunnelID: 3
  TransportType: 'TCP: Reason Code: 2 (Forced by Server Configuration)'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 136 — Unable to establish a multi-transport connection; the connection will use TCP.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Unable to establish a multi-transport connection; the connection will use TCP. Consult the product documentation to enable UDP Connections.

Event ID 137 — The following network characteristics have been detected for tunnel %1; Link latency : %2 milliseconds and Bandwidth: %3 kbps.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The following network characteristics have been detected for tunnel %1; Link latency : %2 milliseconds and Bandwidth: %3 kbps. Connections with these network characteristics may impact user experience.

Fields

Name	Description
`TunnelID`	—
`RTT`	—
`Bandwidth`	—

Event ID 138 — The DTLS initialization failed with the error code %1, TLS will be used instead.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Admin

Message

The DTLS initialization failed with the error code %1, TLS will be used instead. Audio/Video experience may be impacted.

Fields

Name	Description
`ResultCode`	—

Event ID 139 — The server security layer detected an error (%1) in the protocol stream and the client (Client IP:%2) has been disconnected.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The server security layer detected an error (%1) in the protocol stream and the client (Client IP:%2) has been disconnected.

Fields

Name	Description
`ResultCode`	—
`IPString`	—

Event ID 140 — A connection from the client computer with an IP address of %1 failed because the user name or password is not correct.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

A connection from the client computer with an IP address of %1 failed because the user name or password is not correct.

Fields

Name	Description
`IPString`	—

Event ID 141 — PerfCounter session started with instance ID %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

PerfCounter session started with instance ID %1

Fields

Name	Description
`InstanceID`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 141
  version: 0
  level: 4
  task: 4
  opcode: 11
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:28.549456Z'
  event_record_id: 849
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 6492
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  InstanceID: 5

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 142 — TCP socket READ operation failed, error %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 3
Samples: 1

Message

TCP socket READ operation failed, error %1

Fields

Name	Description
`error`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 142
  version: 0
  level: 3
  task: 4
  opcode: 15
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:34.851987Z'
  event_record_id: 852
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 6776
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  error: 64

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 143 — TCP socket WRITE operation failed, error %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 3
Samples: 1

Message

TCP socket WRITE operation failed, error %1

Fields

Name	Description
`error`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 143
  version: 0
  level: 3
  task: 4
  opcode: 15
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:34.851924Z'
  event_record_id: 850
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 4988
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  error: 64

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 144 — TCP socket was gracefully terminated

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

TCP socket was gracefully terminated

Event ID 145 — During this connection, server has not sent data or graphics update for %1 seconds (Idle1: %2, Idle2: %3).

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

During this connection, server has not sent data or graphics update for %1 seconds (Idle1: %2, Idle2: %3).

Fields

Name	Description
`Idle2`	1 seconds (Idle1.

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 145
  version: 0
  level: 4
  task: 4
  opcode: 19
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:34.852455Z'
  event_record_id: 855
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 1644
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  IdleSeconds: 0
  IdleSeconds1: 0
  IdleSeconds2: 0

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 146 — AutoReconnect failed with error %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

AutoReconnect failed with error %1

Fields

Name	Description
`Error`	—

Event ID 147 — LogonUserExEx failed with error %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

LogonUserExEx failed with error %1

Fields

Name	Description
`Error`	—

Event ID 148 — Channel %1 has been closed between the server and the client on transport tunnel: %2.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

Channel %1 has been closed between the server and the client on transport tunnel: %2.

Fields

Name	Description
`ChannelName`	—
`TunnelID`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 148
  version: 0
  level: 4
  task: 4
  opcode: 17
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:34.852505Z'
  event_record_id: 856
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 1644
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ChannelName: rdpinpt
  TunnelID: 0

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 149 — Logon certificate sent by client did not pass validation.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Logon certificate sent by client did not pass validation. Error: %1

Fields

Name	Description
`ErrorCode`	—

Event ID 150 — Long delay experienced while flushing data to the network.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Debug

Message

Long delay experienced while flushing data to the network. Flush time: %1 ms, flush interval: %2 ms.

Fields

Name	Description
`FlushTimeMs`	—
`FlushIntervalMs`	—

Event ID 151 — In the past %1 ms, %2 heartbeats were sent to the client.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Debug

Message

In the past %1 ms, %2 heartbeats were sent to the client. Max time without sending packets in recent history: %3 ms (all packets); throughout connection: %4 ms (data), %5 ms (heartbeats), %6 ms (all packets). Time between disconnect and last packet sent: %7 ms

Fields

Name	Description
`ms_all_packets_throughout_connection`	—
`HistoryMs`	—
`NumHeartbeats`	—
`MaxRecentTimeNoPacketMs`	—
`MaxTotalTimeNoDataMs`	—
`MaxTotalTimeNoHeartbeatMs`	—
`MaxTotalTimeNoPacketMs`	—
`TimeNoLastPacketMs`	—

Event ID 152 — Timestamp: %1 ms, heartbeats sent: %2, data packet last sent: %3 ms, heartbeat last sent: %4 ms.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Debug

Message

Timestamp: %1 ms, heartbeats sent: %2, data packet last sent: %3 ms, heartbeat last sent: %4 ms.

Fields

Name	Description
`Timestamp`	—
`ms_heartbeats_sent`	ms, heartbeats sent.
`data_packet_last_sent`	—
`ms_heartbeat_last_sent`	ms, heartbeat last sent.
`TimestampMs`	—
`NumHeartbeats`	—
`LastDataPacketMs`	—
`LastHeartbeatMs`	—

Event ID 153 — Session negotiated TLS version %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Debug

Message

Session negotiated TLS version %1

Fields

Name	Description
`TLSVersion`	—

Event ID 154 — %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

%1. Error %2

Fields

Name	Description
`Message`	—
`Error`	—

Event ID 155 — RDP Diagnostic Heartbeat

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Debug

Message

RDP Diagnostic Heartbeat

Event ID 161 — The RemoteFX encoding engine encountered an error.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The RemoteFX encoding engine encountered an error (%1). Server: %2

Fields

Name	Description
`ErrorCode`	—
`ServerName`	—

Event ID 162 — The client supports version %1 of the RDP graphics protocol, client mode: %2, AVC available: %3, Initial profile: %4.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The client supports version %1 of the RDP graphics protocol, client mode: %2, AVC available: %3, Initial profile: %4. Server: %5

Fields

Name	Description
`AVC_available`	1 of the RDP graphics protocol, client mode.
`Initial_profile`	—
`Server`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 162
  version: 0
  level: 4
  task: 4
  opcode: 19
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:46.742779Z'
  event_record_id: 908
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 8020
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  Version: '0xa0301'
  ClientMode: 2
  AvcEnabled: 1
  ProfileIdNum: 2
  ServerName: MSEDGEWIN10

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 163 — The client supports RDP 7.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The client supports RDP 7.1 or lower protocol. Server: %1

Fields

Name	Description
`Server`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 163
  version: 0
  level: 4
  task: 4
  opcode: 19
  keywords: 4611686018427387904
  time_created: '2019-08-28T14:22:27.573268Z'
  event_record_id: 1356
  correlation:
    '#attributes':
      ActivityID: F4201740-D459-489E-A55C-BFE842340000
  execution:
    process_id: 396
    thread_id: 1336
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ServerName: MSEDGEWIN10

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 164 — The client advertised protocol configurations which are not supported by the server.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The client advertised protocol configurations which are not supported by the server. Server: %1

Fields

Name	Description
`ServerName`	—

Event ID 165 — RDP RemoteFX graphics encoding is enabled.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

RDP RemoteFX graphics encoding is enabled. Server: %1

Fields

Name	Description
`ServerName`	—

Event ID 166 — The RemoteFX Adaptive Graphics internal configuration changed to optimize for the minimum use of network bandwidth.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The RemoteFX Adaptive Graphics internal configuration changed to optimize for the minimum use of network bandwidth. Server: %1

Fields

Name	Description
`ServerName`	—

Event ID 167 — The RemoteFX Adaptive Graphics internal configuration changed to optimize for experience.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The RemoteFX Adaptive Graphics internal configuration changed to optimize for experience. Server: %1

Fields

Name	Description
`ServerName`	—

Event ID 168 — The resolution requested by the client: Monitor %1: (%2, %3), origin: (%4, %5).

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The resolution requested by the client: Monitor %1: (%2, %3), origin: (%4, %5). Server: %6

Fields

Name	Description
`MonitorNum`	—
`MonitorWidth`	—
`MonitorHeight`	—
`MonitorX`	—
`MonitorY`	—
`ServerName`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 168
  version: 0
  level: 4
  task: 4
  opcode: 11
  keywords: 4611686018427387904
  time_created: '2020-11-13T11:09:15.564770Z'
  event_record_id: 12591
  correlation:
    '#attributes':
      ActivityID: F4207C37-D7A8-4A5E-9A35-4E79CAA60000
  execution:
    process_id: 388
    thread_id: 7312
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  MonitorNum: 0
  MonitorWidth: 200
  MonitorHeight: 200
  MonitorX: 0
  MonitorY: 0
  ServerName: MSEDGEWIN10

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 169 — The client operating system type is (%1, %2).

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The client operating system type is (%1, %2).  Server: %3

Fields

Name	Description
`MajorType`	—
`MinorType`	—
`ServerName`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 169
  version: 0
  level: 4
  task: 4
  opcode: 19
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:46.567652Z'
  event_record_id: 902
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 7312
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  MajorType: 1
  MinorType: 3
  ServerName: MSEDGEWIN10

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 170 — AVC hardware encoder enabled: %1, encoder name is %2.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

AVC hardware encoder enabled: %1, encoder name is %2. Server: %3

Fields

Name	Description
`AVC_hardware_encoder_enabled`	—
`IsHardwareEncode`	—
`EncoderMFTName`	—
`ServerName`	—

Event ID 171 — The client is uncapable to support screen capture protection feature.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The client is uncapable to support screen capture protection feature. Server: %1

Fields

Name	Description
`ServerName`	—

Event ID 172 — The client is uncapable to support watermarking feature.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The client is uncapable to support watermarking feature. Server: %1

Fields

Name	Description
`ServerName`	—

Event ID 193 — The RemoteFX Media Remoting is not supported by the client.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The RemoteFX Media Remoting is not supported by the client.

Event ID 194 — The RemoteFX Media Remoting is not supported by the current server configuration.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The RemoteFX Media Remoting is not supported by the current server configuration.

Event ID 195 — The RemoteFX Media Remoting module encountered an error.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The RemoteFX Media Remoting module encountered an error. The error code is %1.

Fields

Name	Description
`ErrorCode`	—

Event ID 225 — %1: Transitioned successfully from %3 to %5 in response to %7.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Debug

Message

%1: Transitioned successfully from %3 to %5 in response to %7.

Fields

Name	Description
`StateTransition`	—
`PreviousState`	—
`PreviousStateName`	—
`NewState`	—
`NewStateName`	—
`Event`	—
`EventName`	—

Event ID 226 — %1: An error was encountered when transitioning from %3 in response to %7 (error code %8).

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 3
Samples: 1

Message

%1: An error was encountered when transitioning from %3 in response to %7 (error code %8).

Fields

Name	Description
`StateTransition`	—
`PreviousState`	—
`PreviousStateName`	—
`NewState`	—
`NewStateName`	—
`Event`	—
`EventName`	—
`ErrorCode`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 226
  version: 0
  level: 3
  task: 4
  opcode: 19
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:16:34.851971Z'
  event_record_id: 851
  correlation:
    '#attributes':
      ActivityID: F420DD64-C87E-4E2D-A02E-7D0935770000
  execution:
    process_id: 636
    thread_id: 4988
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  StateTransition: RDP_TCP
  PreviousState: 23
  PreviousStateName: StateUnknown
  NewState: 21
  NewStateName: StateDisconnected
  Event: 43
  EventName: Event_Disconnect
  ErrorCode: '0x80070040'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 227 —

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 2
Samples: 1

Message

%3

Fields

Name	Description
`Name`	—
`Value`	—
`CustomLevel`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 227
  version: 0
  level: 2
  task: 4
  opcode: 19
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:45.622336Z'
  event_record_id: 887
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 7136
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  Name: CUMRDPConnection
  Value: 2147500033
  CustomLevel: '''Failed GetConnectionProperty'' in CUMRDPConnection::QueryProperty
    at 2884 err=[0x80004001]'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 228 — Disconnect trace:%1 %2, Error code:%3.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 3
Samples: 1

Message

Disconnect trace:%1 %2, Error code:%3

Fields

Name	Description
`Disconnect_trace`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 228
  version: 0
  level: 3
  task: 4
  opcode: 19
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:26:41.767599Z'
  event_record_id: 938
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 7572
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  ComponentName: CUMRDPConnection
  Message: Disconnect trace:'calling spGfxPlugin->PreDisconnect()' in CUMRDPConnection::PreDisconnect
    at 4595 err=[0x5]
  ErrorCode: 5

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 229 —

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

%2

Fields

Name	Description
`Name`	—
`CustomLevel`	—

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 229
  version: 0
  level: 4
  task: 4
  opcode: 19
  keywords: 4611686018427387904
  time_created: '2019-08-28T03:36:49.647283Z'
  event_record_id: 975
  correlation:
    '#attributes':
      ActivityID: F4624E4C-DF38-4BB3-A4DB-3782C9880000
  execution:
    process_id: 480
    thread_id: 1196
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data:
  Name: CUMRDPProtocolManager
  CustomLevel: '''CUMRDPProtocolManager::CreateListener(RDP-Tcp) DEBUG/VM/ReverseTCP/ReverseUDP/INET''
    in CUMRDPProtocolManager::CreateListener at 4134 err=[0x0]'

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 257 — The connection is using advanced RemoteFX RemoteApp graphics.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

The connection is using advanced RemoteFX RemoteApp graphics.

Event ID 258 — The connection is not using advanced RemoteFX RemoteApp graphics

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: 4
Samples: 1

Message

The connection is not using advanced RemoteFX RemoteApp graphics

Example Event

system:
  provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
  guid: 1139C61B-B549-4251-8ED3-27250A1EDEC8
  event_source_name: ''
  event_id: 258
  version: 0
  level: 4
  task: 4
  opcode: 21
  keywords: 4611686018427387904
  time_created: '2019-08-27T17:17:47.617830Z'
  event_record_id: 915
  correlation:
    '#attributes':
      ActivityID: F420C5E0-91BA-4CF1-97FF-34CCD7200000
  execution:
    process_id: 636
    thread_id: 7572
  channel: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational
  computer: MSEDGEWIN10
  security:
    user_id: S-1-5-20
event_data: {}

References

Example event sourced from https://github.com/NextronSystems/evtx-baseline

Event ID 289 — Got UDP reverse connect request to %1 port %2 connection id %3.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Got UDP reverse connect request to %1 port %2 connection id %3.

Fields

Name	Description
`URL`	—
`Port`	—
`ConnectionID`	—

Event ID 290 — UDP reverse connect successful.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

UDP reverse connect successful.

Event ID 291 — UDP reverse connect failed with error %1.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

UDP reverse connect failed with error %1.

Fields

Name	Description
`Error`	—

Event ID 292 — Multi transport listener NOT initialized.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Multi transport listener NOT initialized. UDP reverse connect NOT supported.

Event ID 293 — Multi transport listener initialized.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Multi transport listener initialized. UDP reverse connect supported.

Event ID 294 — Reverse UDP connect is disabled by SxS registry settings.

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational

Message

Reverse UDP connect is disabled by SxS registry settings.