Microsoft-Windows-TerminalServices-LocalSessionManager

47 events across 3 channels

Event ID	Title	Channel
2		Debug
3		Debug
4		Debug
5		Debug
6		Debug
7		Debug
8		Debug
9		Debug
10		Analytic
11		Analytic
16	Local Multi-User session manager failed to start.	Operational
17	Remote Desktop Service start failed.	Operational
18	Remote Desktop Service is shutdown for unknown reason.	Operational
19	Registering with Service Control Manager to monitor Remote Desktop Service …	Operational
20	Attempt to send %1 message to Windows video subsystem failed.	Operational
21	Remote Desktop Services: Session logon succeeded:	Operational
22	Remote Desktop Services: Shell start notification received:	Operational
23	Remote Desktop Services: Session logoff succeeded:	Operational
24	Remote Desktop Services: Session has been disconnected: User: …	Operational
25	Remote Desktop Services: Session reconnection succeeded: User: …	Operational
32	Plugin RDSAppXPlugin has been successfully initialized	Operational
33	Plugin %1 failed to initialize, error code %2.	Operational
34	Remote Desktop Services is not accepting logons because setup is running.	Operational
35	The client process ID %1 could not complete the session change notification …	Operational
36	An error occurred when transitioning from %3 in response to %5.	Operational
37	Invalid state transition from %3 in response to %5.	Operational
38	Transitioned successfully from %3 to %5 in response to %7.	Debug
39	Session %1 has been disconnected by session %2.	Operational
40	Session 5 has been disconnected, reason code 12	Operational
41	Begin session arbitration:	Operational
42	End session arbitration:	Operational
43	Windows Subsystem has taken too long to process Connect event for session %1.	Operational
44	Windows Subsystem has taken too long to process Disconnect event for session %1.	Operational
45	Windows Subsystem has taken too long to process Terminate event for session %1.	Operational
48	Remote Connection Manager has taken too long to process logon message for …	Operational
49	Remote Connection Manager has taken too long to prepare for session arbitration …	Operational
50	Remote Connection Manager has taken too long to process begin-connect-message …	Operational
51	Remote Connection Manager has taken too long to process end-connect-message for …	Operational
52	Remote Connection Manager has taken too long to process begin-disconnect-message …	Operational
53	Remote Connection Manager has taken too long to process end-disconnect-message …	Operational
54	Local multi-user session manager received system shutdown message	Operational
55	Remote Desktop Service has taken too long to start up	Operational
56	Remote Desktop Service has taken too long to shutdown	Operational
57	Session %1 has started with Initial Command Process ID %2 and Windows Subsystem …	Debug
58	Session %1 has started with Initial Command Process ID %2 (%4) and Windows …	Debug
59	%s from %S( #0x%x/0x%x )	Operational
60	Glass session %1 has been reconnected to a remote protocol, this session can now …	Operational

Event ID 2 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

%1

Fields

Name	Description
`message`	—

Event ID 3 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

%1

Fields

Name	Description
`message`	—

Event ID 4 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

%1

Fields

Name	Description
`message`	—

Event ID 5 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

%1

Fields

Name	Description
`message`	—

Event ID 6 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

%1

Fields

Name	Description
`message`	—

Event ID 7 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

%1

Fields

Name	Description
`message`	—

Event ID 8 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

%1

Fields

Name	Description
`message`	—

Event ID 9 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

%1

Fields

Name	Description
`message`	—

Event ID 10 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Analytic

Event ID 11 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Analytic

Event ID 16 — Local Multi-User session manager failed to start.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Local Multi-User session manager failed to start. The relevant status code was %1.

Fields

Name	Description
`Param1`	—

Event ID 17 — Remote Desktop Service start failed.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Desktop Service start failed. The relevant status code was %1.

Fields

Name	Description
`Param1`	—

Event ID 18 — Remote Desktop Service is shutdown for unknown reason.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Desktop Service is shutdown for unknown reason. Will recover in one minute.

Event ID 19 — Registering with Service Control Manager to monitor Remote Desktop Service status failed with %1, retry in ten minutes.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Registering with Service Control Manager to monitor Remote Desktop Service status failed with %1, retry in ten minutes.

Fields

Name	Description
`Param1`	—

Event ID 20 — Attempt to send %1 message to Windows video subsystem failed.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Attempt to send %1 message to Windows video subsystem failed. The relevant status code was %2.

Fields

Name	Description
`messageName`	—
`errorCode`	—

Event ID 21 — Remote Desktop Services: Session logon succeeded:

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Remote Desktop Services: Session logon succeeded:

User: %1
Session ID: %2
Source Network Address: %3

Fields

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—
`EventXML.Address`	—

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 21
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2023-11-05T22:32:20.885688+00:00'
  event_record_id: 128
  correlation:
    ActivityID: 61A55000-55E5-1017-0000-000000000000
  execution:
    process_id: 484
    thread_id: 704
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    User: WINDEV2310EVAL\User
    SessionID: 1
    Address: LOCAL
message: ''

Community Notes

Remote desktop services shell start. Occurs when a user successfully establishes a session and the shell starts, confirming a successful interactive logon.

Sigma Rules

Ngrok Usage with Remote Desktop Service
Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

References

Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 22 — Remote Desktop Services: Shell start notification received:

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Remote Desktop Services: Shell start notification received:

User: %1
Session ID: %2
Source Network Address: %3

Fields

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—
`EventXML.Address`	—

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 22
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2023-11-05T22:32:22.759464+00:00'
  event_record_id: 129
  correlation:
    ActivityID: 61A55000-55E5-1017-0000-000000000000
  execution:
    process_id: 484
    thread_id: 704
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    User: WINDEV2310EVAL\User
    SessionID: 1
    Address: LOCAL
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 23 — Remote Desktop Services: Session logoff succeeded:

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Remote Desktop Services: Session logoff succeeded:

User: %1
Session ID: %2

Fields

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 23
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2023-11-05T22:31:34.004349+00:00'
  event_record_id: 124
  correlation:
    ActivityID: 61A55000-55E5-1017-0000-000000000000
  execution:
    process_id: 628
    thread_id: 940
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    User: WINDEV2310EVAL\User
    SessionID: 1
message: ''

References

Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 24 — Remote Desktop Services: Session has been disconnected: User: EC2AMAZ-3NFFVNI\samurai Session ID: 5 Source Network Address: 219.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Remote Desktop Services: Session has been disconnected:

User: %1
Session ID: %2
Source Network Address: %3

Fields

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—
`EventXML.Address`	—

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 24
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2024-11-22T22:49:17.027344+00:00'
  event_record_id: 2333
  correlation:
    ActivityID: F42007FF-53B7-440F-9169-DEE2D7900000
  execution:
    process_id: 896
    thread_id: 2060
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: EC2AMAZ-3NFFVNI
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    User: EC2AMAZ-3NFFVNI\samurai
    SessionID: 5
    Address: 219.100.37.234
message: 'Remote Desktop Services: Session has been disconnected:


  User: EC2AMAZ-3NFFVNI\samurai

  Session ID: 5

  Source Network Address: 219.100.37.234'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 25 — Remote Desktop Services: Session reconnection succeeded: User: EC2AMAZ-3NFFVNI\samurai Session ID: 4 Source Network Address: 219.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Remote Desktop Services: Session reconnection succeeded:

User: %1
Session ID: %2
Source Network Address: %3

Fields

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—
`EventXML.Address`	—

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 25
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2024-11-22T22:48:31.312554+00:00'
  event_record_id: 2323
  correlation:
    ActivityID: F4209548-02F6-4100-AC4D-324EFFDE0000
  execution:
    process_id: 896
    thread_id: 4048
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: EC2AMAZ-3NFFVNI
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    User: EC2AMAZ-3NFFVNI\samurai
    SessionID: 4
    Address: 219.100.37.234
message: 'Remote Desktop Services: Session reconnection succeeded:


  User: EC2AMAZ-3NFFVNI\samurai

  Session ID: 4

  Source Network Address: 219.100.37.234'

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 32 — Plugin RDSAppXPlugin has been successfully initialized

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Plugin %1 has been successfully initialized

Fields

Name	Description
`EventXML.messageName`	—

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 32
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2023-11-06T06:25:28.895324+00:00'
  event_record_id: 98
  correlation: {}
  execution:
    process_id: 500
    thread_id: 844
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    messageName: RDSAppXPlugin
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 33 — Plugin %1 failed to initialize, error code %2.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Plugin %1 failed to initialize, error code %2

Fields

Name	Description
`messageName`	—
`errorCode`	—

Event ID 34 — Remote Desktop Services is not accepting logons because setup is running.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Remote Desktop Services is not accepting logons because setup is running.

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 34
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2023-11-06T06:25:36.031054+00:00'
  event_record_id: 106
  correlation: {}
  execution:
    process_id: 500
    thread_id: 828
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 35 — The client process ID %1 could not complete the session change notification event sent by the Remote Desktop service.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

The client process ID %1 could not complete the session change notification event sent by the Remote Desktop service. The Remote Desktop service will not send any more session change notifications.

Fields

Name	Description
`Param1`	—

Event ID 36 — An error occurred when transitioning from %3 in response to %5.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

An error occurred when transitioning from %3 in response to %5. (ErrorCode %6)

Fields

Name	Description
`SessionId`	—
`State`	—
`StateName`	—
`Event`	—
`EventName`	—
`ErrorCode`	—

Event ID 37 — Invalid state transition from %3 in response to %5.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Invalid state transition from %3 in response to %5. (ErrorCode %6)

Fields

Name	Description
`SessionId`	—
`State`	—
`StateName`	—
`Event`	—
`EventName`	—
`ErrorCode`	—

Event ID 38 — Transitioned successfully from %3 to %5 in response to %7.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

Transitioned successfully from %3 to %5 in response to %7.

Fields

Name	Description
`SessionId`	—
`PreviousState`	—
`PreviousStateName`	—
`NewState`	—
`NewStateName`	—
`Event`	—
`EventName`	—

Event ID 39 — Session %1 has been disconnected by session %2.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Session %1 has been disconnected by session %2

Fields

Name	Description
`TargetSession`	—
`Source`	—

Event ID 40 — Session 5 has been disconnected, reason code 12

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Session %1 has been disconnected, reason code %2

Fields

Name	Description
`EventXML.Session`	—
`EventXML.Reason`	—

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 40
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2024-11-22T22:49:16.916898+00:00'
  event_record_id: 2332
  correlation:
    ActivityID: F42007FF-53B7-440F-9169-DEE2D7900000
  execution:
    process_id: 896
    thread_id: 2060
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: EC2AMAZ-3NFFVNI
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    Session: 5
    Reason: 12
message: Session 5 has been disconnected, reason code 12

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 41 — Begin session arbitration:

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Begin session arbitration:

User: %1
Session ID: %2

Fields

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 41
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2023-11-05T22:32:20.265097+00:00'
  event_record_id: 126
  correlation:
    ActivityID: 61A55000-55E5-1017-0000-000000000000
  execution:
    process_id: 484
    thread_id: 1336
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    User: WINDEV2310EVAL\User
    SessionID: 1
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 42 — End session arbitration:

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

End session arbitration:

User: %1
Session ID: %2

Fields

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 42
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2023-11-05T22:32:20.280655+00:00'
  event_record_id: 127
  correlation:
    ActivityID: 61A55000-55E5-1017-0000-000000000000
  execution:
    process_id: 484
    thread_id: 1336
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
user_data:
  EventXML:
    User: WINDEV2310EVAL\User
    SessionID: 1
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 43 — Windows Subsystem has taken too long to process Connect event for session %1.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Windows Subsystem has taken too long to process Connect event for session %1

Fields

Name	Description
`Session`	—

Event ID 44 — Windows Subsystem has taken too long to process Disconnect event for session %1.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Windows Subsystem has taken too long to process Disconnect event for session %1

Fields

Name	Description
`Session`	—

Event ID 45 — Windows Subsystem has taken too long to process Terminate event for session %1.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Windows Subsystem has taken too long to process Terminate event for session %1

Fields

Name	Description
`Session`	—

Event ID 48 — Remote Connection Manager has taken too long to process logon message for session %1.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Connection Manager has taken too long to process logon message for session %1

Fields

Name	Description
`Session`	—

Event ID 49 — Remote Connection Manager has taken too long to prepare for session arbitration for session %1.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Connection Manager has taken too long to prepare for session arbitration for session %1

Fields

Name	Description
`Session`	—

Event ID 50 — Remote Connection Manager has taken too long to process begin-connect-message for session %1.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Connection Manager has taken too long to process begin-connect-message for session %1

Fields

Name	Description
`Session`	—

Event ID 51 — Remote Connection Manager has taken too long to process end-connect-message for session %1.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Connection Manager has taken too long to process end-connect-message for session %1

Fields

Name	Description
`Session`	—

Event ID 52 — Remote Connection Manager has taken too long to process begin-disconnect-message for session %1.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Connection Manager has taken too long to process begin-disconnect-message for session %1

Fields

Name	Description
`Session`	—

Event ID 53 — Remote Connection Manager has taken too long to process end-disconnect-message for session %1.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Connection Manager has taken too long to process end-disconnect-message for session %1

Fields

Name	Description
`Session`	—

Event ID 54 — Local multi-user session manager received system shutdown message

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: 4
Samples: 1

Message

Local multi-user session manager received system shutdown message

Example Event

system:
  provider: Microsoft-Windows-TerminalServices-LocalSessionManager
  guid: 5D896912-022D-40AA-A3A8-4FA5515C76D7
  event_source_name: ''
  event_id: 54
  version: 0
  level: 4
  task: 0
  opcode: 0
  keywords: 1152921504606846976
  time_created: '2023-11-06T06:23:40.047190+00:00'
  event_record_id: 97
  correlation: {}
  execution:
    process_id: 872
    thread_id: 1172
  channel: Microsoft-Windows-TerminalServices-LocalSessionManager/Operational
  computer: WinDev2310Eval
  security:
    user_id: S-1-5-18
event_data: {}
message: ''

References

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 55 — Remote Desktop Service has taken too long to start up

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Desktop Service has taken too long to start up

Event ID 56 — Remote Desktop Service has taken too long to shutdown

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Remote Desktop Service has taken too long to shutdown

Event ID 57 — Session %1 has started with Initial Command Process ID %2 and Windows Subsystem Process ID %3.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

Session %1 has started with Initial Command Process ID %2 and Windows Subsystem Process ID %3

Fields

Name	Description
`SessionID`	—
`InitCmdPid`	—
`Win32kPid`	—

Event ID 58 — Session %1 has started with Initial Command Process ID %2 (%4) and Windows Subsystem Process ID %3.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message

Session %1 has started with Initial Command Process ID %2 (%4) and Windows Subsystem Process ID %3

Fields

Name	Description
`SessionID`	—
`InitCmdPid`	—
`Win32kPid`	—
`InitCmdName`	—

Event ID 59 — %s from %S( #0x%x/0x%x )

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

%1 from %2( #0x%3/0x%4 )

Fields

Name	Description
`Function`	—
`CallerImageName`	—
`SessionId`	—
`ClientProcessId`	—

Event ID 60 — Glass session %1 has been reconnected to a remote protocol, this session can now only be reconnect locally or from same remote protocol.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational

Message

Glass session %1 has been reconnected to a remote protocol, this session can now only be reconnect locally or from same remote protocol

Fields

Name	Description
`SessionID`	—