Microsoft-Windows-TerminalServices-ClientActiveXCore
75 events across 3 channels
Event ID 225 — StateTransitionName: Transitioned successfully from PreviousStateName to NewStateName in response to EventName.
Description
StateTransitionName: Transitioned successfully from PreviousStateName to NewStateName in response to EventName.
Message #
Fields #
| Name | Description |
|---|---|
StateTransitionName UnicodeString | — |
PreviousState UInt32 | — |
PreviousStateName UnicodeString | — |
NewState UInt32 | — |
NewStateName UnicodeString | — |
Event UInt32 | — |
EventName UnicodeString | — |
Event ID 226 — StateTransitionName: An error was encountered when transitioning from PreviousStateName to NewStateName in response to EventName (error code Error Code).
Description
StateTransitionName: An error was encountered when transitioning from PreviousStateName to NewStateName in response to EventName (error code Error Code).
Message #
Fields #
| Name | Description |
|---|---|
StateTransitionName UnicodeString | — |
PreviousState UInt32 | — |
PreviousStateName UnicodeString | — |
NewState UInt32 | — |
NewStateName UnicodeString | — |
Event UInt32 | — |
EventName UnicodeString | — |
Error Code | — |
ErrorCode UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 226,
"version": 0,
"level": 3,
"task": 104,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2026-03-13T18:26:54.989202+00:00",
"event_record_id": 4,
"correlation": {
"ActivityID": "DB2461B3-3531-4655-AE9C-36EB94410000"
},
"execution": {
"process_id": 12488,
"thread_id": 13944
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"StateTransitionName": "RDPClient_SSL",
"PreviousState": 2,
"PreviousStateName": "TsSslStateHandshakeStart",
"NewState": 10,
"NewStateName": "TsSslStateDisconnecting",
"Event": 7,
"EventName": "TsSslEventStartHandshakeFailed",
"Error Code": 2147500037
},
"message": ""
}
Event ID 227 — StateTransitionName: MCS Channel Join Confirmation received: ChannelID = ChannelID, ChannelName = ChannelName.
Event ID 1000 —
Fields #
| Name | Description |
|---|---|
Function UnicodeString | — |
Line UnicodeString | — |
DebugMessage UnicodeString | — |
Event ID 1001 — RDP ClientActiveX is trying to connect to the server (Value).
Event ID 1002 — RDP ClientActiveX has connected to the server
Description
RDP ClientActiveX has connected to the server.
Message #
Event ID 1003 — RDP ClientActiveX has been disconnected (Reason= Value).
Event ID 1004 — Client has logged on to the server (SessionId = Value).
Event ID 1005 — Client failed to logon on to the server (Error = ErrorCode).
Event ID 1006 — Client machine has lost network connectivity (Reason= ErrorCode).
Event ID 1007 — DNS failed to resolve the server name (Error= ErrorCode).
Event ID 1008 — The credentials provided are authenticated by the server
Event ID 1009 — The credentials provided were failed to be authenticated by the server
Event ID 1010 — RDP ClientActiveX is connecting to a gateway server (Name=Value).
Event ID 1011 — RDP ClientActiveX succeeded in connecting to the gateway server
Description
RDP ClientActiveX succeeded in connecting to the gateway server.
Message #
Event ID 1012 — RDP ClientActiveX failed to connect to the gateway server(Error= ErrorCode).
Event ID 1013 — RDP ClientActiveX is trying to automatically reconnect to the server (Value).
Event ID 1014 — RDP ClientActiveX succeeded in automatically connecting to the server
Event ID 1015 — RDP ClientActiveX failed to automatically connect to the server (Reason= TraceMessage).
Event ID 1016 — Client has a license to connect to the server
Event ID 1017 — Client does not have a license to connect to the server (Error= ErrorCode).
Event ID 1018 — RDP ClientActiveX failed to connect to the server (Error = ErrorCode).
Event ID 1020 — RDP ClientActiveX has recorded the following error - ErrorCode.
Event ID 1021 — RDP ClientActiveX's gateway transport has recorded the following error - Value.
Event ID 1023 — RDP Client ActiveX has started using RemoteFX for graphics decoding (decoder type = Value).
Event ID 1024 — RDP ClientActiveX is trying to connect to the server (Value).
#Description
RDP ClientActiveX is trying to connect to the server (Value).
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | — |
Value UnicodeString | — |
CustomLevel UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1024,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:36.580526+00:00",
"event_record_id": 1,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 11240
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Name": "Server Name",
"Value": "29A7892D-8743-4A3F-85E3-06FE9D7977B4",
"CustomLevel": "Info"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows RDPClient Connection Sequence Events source: This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.
References #
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-1024-rdp-activex.md
Event ID 1025 — RDP ClientActiveX has connected to the server
Description
RDP ClientActiveX has connected to the server.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1025,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:37.058263+00:00",
"event_record_id": 4,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 5172
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 1026 — RDP ClientActiveX has been disconnected (Reason= Value).
Event ID 1027 — Connected to domain (DomainName) with session SessionId.
Event ID 1028 — Server supports SSL = TraceMessage.
Description
Server supports SSL = TraceMessage.
Message #
Fields #
| Name | Description |
|---|---|
TraceMessage UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1028,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:36.991587+00:00",
"event_record_id": 2,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 5172
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"TraceMessage": "not supported"
},
"message": ""
}
Event ID 1029 — Base64(SHA256(UserName)) is = TraceMessage.
Description
Base64(SHA256(UserName)) is = TraceMessage.
Message #
Fields #
| Name | Description |
|---|---|
TraceMessage UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1029,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:36.992493+00:00",
"event_record_id": 3,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 11240
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"TraceMessage": "-"
},
"message": ""
}
Event ID 1030 — RDP Client build BuildBranch BuildDate BuildTime BuildVersion ArchAndFlavour.
Event ID 1031 — Invalid format error occured when decoding packet of type TraceMessage.
Event ID 1032 — Component name:ErrorCode, :: ErrorDescription.
Event ID 1033 — Component name:Name, :: CustomLevel, Error code:Value.
Event ID 1034 — Component name:ErrorCode, :: ErrorDescription.
Event ID 1100 — The client detected the link latency is Value milliseconds.
Event ID 1101 — The client detected the bandwidth is Value kbps/second.
Event ID 1102 — The client has initiated a multi-transport connection to the server Value.
Event ID 1103 — The client has established a multi-transport connection to the server.
Description
The client has established a multi-transport connection to the server.
Message #
Event ID 1104 — The client failed to establish the multi-transport connection.
Event ID 1105 — The multi-transport connection has been disconnected.
Description
The multi-transport connection has been disconnected.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1105,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-13T18:26:54.989606+00:00",
"event_record_id": 5,
"correlation": {
"ActivityID": "DB2461B3-3531-4655-AE9C-36EB94410000"
},
"execution": {
"process_id": 12488,
"thread_id": 13944
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 1106 — Close event, code = Code.
Event ID 1107 — Disconnect trace:ComponentName "Message", Error code:ErrorCode.
Event ID 1201 — The RdClient has been forced exit since cancelling existing workspace job took too long.
Description
The RdClient has been forced exit since cancelling existing workspace job took too long.
Message #
Event ID 1202 — The user has clicked sign out on the OOB Client ribbon.
Description
The user has clicked sign out on the OOB Client ribbon.
Message #
Event ID 1203 — The user has clicked Refresh on the OOB client ribbon.
Description
The user has clicked Refresh on the OOB client ribbon.
Message #
Event ID 1204 — The user tried to login into ADAL with a different user name than the one he/she subscribed to initially.
Description
The user tried to login into ADAL with a different user name than the one he/she subscribed to initially.
Message #
Event ID 1205 — Event: Workspace Event succeeded for Tenant = TenantId , TotalTimeWithoutAdal = TotalTimeWithoutAdal ms, AdalTime = AdalTime ms.
Description
Event: Workspace Event succeeded for Tenant = TenantId , TotalTimeWithoutAdal = TotalTimeWithoutAdal ms, AdalTime = AdalTime ms. NumberOfResources = ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
Event UnicodeString | — |
TenantId UnicodeString | — |
TotalTimeWithoutAdal UInt32 | — |
AdalTime UInt32 | — |
ErrorCode UInt32 | — |
Event ID 1206 — Event: Workspace Event failed for Tenant = TenantId.
Event ID 1207 — RDP Client build BuildBranch BuildDate BuildTime BuildVersion ArchAndFlavour.
Event ID 1208 — Feed discovery succeeded.
Event ID 1209 — Feed discovery failed.
Event ID 1210 — Feed cache corruption encountered.
Event ID 1211 — Consent status updated successfully.
Event ID 1212 — Consent status update failed.
Event ID 1213 — The user has clicked view invitations on the OOB client ribbon.
Description
The user has clicked view invitations on the OOB client ribbon.
Message #
Event ID 1214 — Base64(SHA256(UserName)) = UserNameHash, TimeZone Bias = TimeZoneBias, TimeZone Name = TimeZoneName.
Event ID 1215 — Refresh Time = refreshTime, Number of feeds = numberOfFeeds.
Event ID 1216 — ADAL error code = ErrorCode, description = ErrorDescription.
Event ID 1217 — ADAL token collected successfully
Description
ADAL token collected successfully.
Message #
Event ID 1218 — ADAL cancelled
Description
ADAL cancelled.
Message #
Event ID 1227 — RadcClientType entering stage RadcClientStage.
Event ID 1228 — RadcClientStage with http event type RadcHttpEvent.
Event ID 1229 — RadcClientStage with http event type RadcHttpEvent and http status code Code.
Event ID 1230 — RadcClientStage with http event type RadcHttpEvent failed with xresult Code.
Event ID 1401 — The server is using version Version of the RDP graphics protocol (client mode: ClientMode, AVC available: AvcEnabled).
Description
The server is using version Version of the RDP graphics protocol (client mode: ClientMode, AVC available: AvcEnabled).
Message #
Fields #
| Name | Description |
|---|---|
Version HexInt32 | — |
ClientMode UInt32 | — |
AvcEnabled UInt32 | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1401,
"version": 0,
"level": 4,
"task": 106,
"opcode": 36,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:37.635292+00:00",
"event_record_id": 6,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 3796
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Version": "0x80004",
"ClientMode": 0,
"AvcEnabled": 0
},
"message": ""
}
Event ID 1402 — The client is using hardware memory for the frame buffer.
Description
The client is using hardware memory for the frame buffer.
Message #
Event ID 1403 — The client is using software memory for the frame buffer.
Description
The client is using software memory for the frame buffer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1403,
"version": 0,
"level": 4,
"task": 106,
"opcode": 38,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:37.464424+00:00",
"event_record_id": 5,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 3796
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}