Event ID 226 — StateTransition: An error was encountered when transitioning from PreviousStateName in response to EventName (error code ErrorCode).

Provider: Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Channel: Operational
Level: Warning
Task: RemoteFXmodule_4
Opcode: Runtime

Description

StateTransition: An error was encountered when transitioning from PreviousStateName in response to EventName (error code ErrorCode).

Message #

%1: An error was encountered when transitioning from %3 in response to %7 (error code %8).

Fields #

Name	Description
`StateTransition` UnicodeString	—
`PreviousState` UInt32	—
`PreviousStateName` UnicodeString	—
`NewState` UInt32	—
`NewStateName` UnicodeString	—
`Event` UInt32	—
`EventName` UnicodeString	—
`ErrorCode` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
    "guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
    "event_source_name": "",
    "event_id": 226,
    "version": 0,
    "level": 3,
    "task": 4,
    "opcode": 19,
    "keywords": 4611686018427387904,
    "time_created": "2019-08-27T17:16:34.851971Z",
    "event_record_id": 851,
    "correlation": {
      "#attributes": {
        "ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
      }
    },
    "execution": {
      "process_id": 636,
      "thread_id": 4988
    },
    "channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
    "computer": "MSEDGEWIN10",
    "security": {
      "user_id": "S-1-5-20"
    }
  },
  "event_data": {
    "StateTransition": "RDP_TCP",
    "PreviousState": 23,
    "PreviousStateName": "StateUnknown",
    "NewState": 21,
    "NewStateName": "StateDisconnected",
    "Event": 43,
    "EventName": "Event_Disconnect",
    "ErrorCode": "0x80070040"
  }
}

References #

Example event sourced from https://github.com/NextronSystems/evtx-baseline