Event ID 1024 — RDP ClientActiveX is trying to connect to the server (Value).
Description
RDP ClientActiveX is trying to connect to the server (Value).
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | — |
Value UnicodeString | — |
CustomLevel UnicodeString | — |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1024,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:36.580526+00:00",
"event_record_id": 1,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 11240
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Name": "Server Name",
"Value": "29A7892D-8743-4A3F-85E3-06FE9D7977B4",
"CustomLevel": "Info"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →
Splunk # view in reference
- Windows RDPClient Connection Sequence Events source: This analytic monitors Windows RDP client connection sequence events (EventCode 1024) from the Microsoft-Windows-TerminalServices-RDPClient/Operational log. These events track when RDP ClientActiveX initiates connection attempts to remote servers. The connection sequence is a critical phase of RDP where the client and server exchange settings and establish common parameters for the session. Monitoring these events can help identify unusual RDP connection patterns, potential lateral movement attempts, unauthorized remote access activity, and RDP connection chains that may indicate compromised systems. NOTE the analytic was written for Multi-Line as XML was not properly parsed out.
References #
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-1024-rdp-activex.md