Microsoft-Windows-TerminalServices-LocalSessionManager

47 events across 3 channels

Event ID	Title	Channel
2	message.	Debug
3	message.	Debug
4	message.	Debug
5	message.	Debug
6	message.	Debug
7	message.	Debug
8	message.	Debug
9	message.	Debug
10		Analytic
11		Analytic
16	Local Multi-User session manager failed to start.	Operational
17	Remote Desktop Service start failed.	Operational
18	Remote Desktop Service is shutdown for unknown reason.	Operational
19	Registering with Service Control Manager to monitor Remote Desktop Service …	Operational
20	Attempt to send messageName message to Windows video subsystem failed.	Operational
21	Remote Desktop Services: Session logon succeeded.	Operational
22	Remote Desktop Services: Shell start notification received.	Operational
23	Remote Desktop Services: Session logoff succeeded.	Operational
24	Remote Desktop Services: Session has been disconnected.	Operational
25	Remote Desktop Services: Session reconnection succeeded.	Operational
32	Plugin EventXML.messageName has been successfully initialized.	Operational
33	Plugin messageName failed to initialize, error code errorCode.	Operational
34	Remote Desktop Services is not accepting logons because setup is running.	Operational
35	The client process ID Param1 could not complete the session change notification …	Operational
36	An error occurred when transitioning from StateName in response to EventName.	Operational
37	Invalid state transition from StateName in response to EventName.	Operational
38	Transitioned successfully from PreviousStateName to NewStateName in response to …	Debug
39	Session EventXML.TargetSession has been disconnected by session EventXML.Source.	Operational
40	Session 5 has been disconnected, reason code 12	Operational
41	Begin session arbitration.	Operational
42	End session arbitration.	Operational
43	Windows Subsystem has taken too long to process Connect event for session …	Operational
44	Windows Subsystem has taken too long to process Disconnect event for session …	Operational
45	Windows Subsystem has taken too long to process Terminate event for session …	Operational
48	Remote Connection Manager has taken too long to process logon message for …	Operational
49	Remote Connection Manager has taken too long to prepare for session arbitration …	Operational
50	Remote Connection Manager has taken too long to process begin-connect-message …	Operational
51	Remote Connection Manager has taken too long to process end-connect-message for …	Operational
52	Remote Connection Manager has taken too long to process begin-disconnect-message …	Operational
53	Remote Connection Manager has taken too long to process end-disconnect-message …	Operational
54	Local multi-user session manager received system shutdown message	Operational
55	Remote Desktop Service has taken too long to start up	Operational
56	Remote Desktop Service has taken too long to shutdown	Operational
57	Session SessionID has started with Initial Command Process ID InitCmdPid and …	Debug
58	Session SessionID has started with Initial Command Process ID InitCmdPid …	Debug
59	Function from CallerImageName( #0xSessionId/0xClientProcessId ).	Operational
60	Glass session SessionID has been reconnected to a remote protocol, this session …	Operational

Event ID 2 — message.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message #

%1

Fields #

Name	Description
`message` AnsiString	—

Event ID 3 — message.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message #

%1

Fields #

Name	Description
`message` AnsiString	—

Event ID 4 — message.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message #

%1

Fields #

Name	Description
`message` AnsiString	—

Event ID 5 — message.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message #

%1

Fields #

Name	Description
`message` AnsiString	—

Event ID 6 — message.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message #

%1

Fields #

Name	Description
`message` AnsiString	—

Event ID 7 — message.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message #

%1

Fields #

Name	Description
`message` AnsiString	—

Event ID 8 — message.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message #

%1

Fields #

Name	Description
`message` AnsiString	—

Event ID 9 — message.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Message #

%1

Fields #

Name	Description
`message` AnsiString	—

Event ID 10 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Analytic
Task: LogonProcessing
Opcode: Start

Event ID 11 —

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Analytic
Task: LogonProcessing
Opcode: Stop

Event ID 16 — Local Multi-User session manager failed to start.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Local Multi-User session manager failed to start. The relevant status code was Param1.

Message #

Local Multi-User session manager failed to start. The relevant status code was %1.

Fields #

Name	Description
`Param1` HexInt32	—

Event ID 17 — Remote Desktop Service start failed.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Error
Collection Priority: Recommended (Yamato Security)

Description

Remote Desktop Service start failed. The relevant status code was EventXML.Param1.

Message #

Remote Desktop Service start failed. The relevant status code was %1.

Fields #

Name	Description
`EventXML.Param1` HexInt32	—
`Param1` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 17,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-13T18:28:58.767431+00:00",
    "event_record_id": 199,
    "correlation": {},
    "execution": {
      "process_id": 1216,
      "thread_id": 1252
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "LAB-DC01.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "Param1": "0x80010108"
    }
  },
  "message": ""
}

Event ID 18 — Remote Desktop Service is shutdown for unknown reason.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Remote Desktop Service is shutdown for unknown reason. Will recover in one minute.

Message #

Remote Desktop Service is shutdown for unknown reason. Will recover in one minute.

Event ID 19 — Registering with Service Control Manager to monitor Remote Desktop Service status failed with Param1, retry in ten minutes.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Registering with Service Control Manager to monitor Remote Desktop Service status failed with Param1, retry in ten minutes.

Message #

Registering with Service Control Manager to monitor Remote Desktop Service status failed with %1, retry in ten minutes.

Fields #

Name	Description
`Param1` HexInt32	—

Event ID 20 — Attempt to send messageName message to Windows video subsystem failed.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Attempt to send messageName message to Windows video subsystem failed. The relevant status code was errorCode.

Message #

Attempt to send %1 message to Windows video subsystem failed. The relevant status code was %2.

Fields #

Name	Description
`messageName` UnicodeString	—
`errorCode` HexInt32	—

Event ID 21 — Remote Desktop Services: Session logon succeeded.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security, others)

Description

Remote Desktop Services: Session logon succeeded.

Message #

Remote Desktop Services: Session logon succeeded:

User: %1
Session ID: %2
Source Network Address: %3

Fields #

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—
`EventXML.Address`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 21,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2023-11-05T22:32:20.885688+00:00",
    "event_record_id": 128,
    "correlation": {
      "ActivityID": "61A55000-55E5-1017-0000-000000000000"
    },
    "execution": {
      "process_id": 484,
      "thread_id": 704
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "User": "WINDEV2310EVAL\\User",
      "SessionID": 1,
      "Address": "LOCAL"
    }
  },
  "message": ""
}

Community Notes #

Remote desktop services shell start. Occurs when a user successfully establishes a session and the shell starts, confirming a successful interactive logon.

Detection Rules #

View all rules referencing this event →

Sigma # view in reference

Ngrok Usage with Remote Desktop Service source high: Detects cases in which ngrok, a reverse proxy tool, forwards events to the local RDP port, which could be a sign of malicious behaviour

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 22 — Remote Desktop Services: Shell start notification received.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security, others)

Description

Remote Desktop Services: Shell start notification received.

Message #

Remote Desktop Services: Shell start notification received:

User: %1
Session ID: %2
Source Network Address: %3

Fields #

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—
`EventXML.Address`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 22,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2023-11-05T22:32:22.759464+00:00",
    "event_record_id": 129,
    "correlation": {
      "ActivityID": "61A55000-55E5-1017-0000-000000000000"
    },
    "execution": {
      "process_id": 484,
      "thread_id": 704
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "User": "WINDEV2310EVAL\\User",
      "SessionID": 1,
      "Address": "LOCAL"
    }
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 23 — Remote Desktop Services: Session logoff succeeded.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security, others)

Description

Remote Desktop Services: Session logoff succeeded.

Message #

Remote Desktop Services: Session logoff succeeded:

User: %1
Session ID: %2

Fields #

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 23,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2023-11-05T22:31:34.004349+00:00",
    "event_record_id": 124,
    "correlation": {
      "ActivityID": "61A55000-55E5-1017-0000-000000000000"
    },
    "execution": {
      "process_id": 628,
      "thread_id": 940
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "User": "WINDEV2310EVAL\\User",
      "SessionID": 1
    }
  },
  "message": ""
}

References #

Microsoft Learn https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager
Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 24 — Remote Desktop Services: Session has been disconnected.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security, others)

Description

Remote Desktop Services: Session has been disconnected.

Message #

Remote Desktop Services: Session has been disconnected:

User: %1
Session ID: %2
Source Network Address: %3

Fields #

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—
`EventXML.Address`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 24,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2024-11-22T22:49:17.027344+00:00",
    "event_record_id": 2333,
    "correlation": {
      "ActivityID": "F42007FF-53B7-440F-9169-DEE2D7900000"
    },
    "execution": {
      "process_id": 896,
      "thread_id": 2060
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "EC2AMAZ-3NFFVNI",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "User": "EC2AMAZ-3NFFVNI\\samurai",
      "SessionID": 5,
      "Address": "198.51.100.2"
    }
  },
  "message": "Remote Desktop Services: Session has been disconnected:\n\nUser: EC2AMAZ-3NFFVNI\\samurai\nSession ID: 5\nSource Network Address: 198.51.100.2"
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 25 — Remote Desktop Services: Session reconnection succeeded.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security, others)

Description

Remote Desktop Services: Session reconnection succeeded.

Message #

Remote Desktop Services: Session reconnection succeeded:

User: %1
Session ID: %2
Source Network Address: %3

Fields #

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—
`EventXML.Address`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 25,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2024-11-22T22:48:31.312554+00:00",
    "event_record_id": 2323,
    "correlation": {
      "ActivityID": "F4209548-02F6-4100-AC4D-324EFFDE0000"
    },
    "execution": {
      "process_id": 896,
      "thread_id": 4048
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "EC2AMAZ-3NFFVNI",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "User": "EC2AMAZ-3NFFVNI\\samurai",
      "SessionID": 4,
      "Address": "198.51.100.2"
    }
  },
  "message": "Remote Desktop Services: Session reconnection succeeded:\n\nUser: EC2AMAZ-3NFFVNI\\samurai\nSession ID: 4\nSource Network Address: 198.51.100.2"
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 32 — Plugin EventXML.messageName has been successfully initialized.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)

Description

Plugin EventXML.messageName has been successfully initialized.

Message #

Plugin %1 has been successfully initialized

Fields #

Name	Description
`EventXML.messageName`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 32,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2023-11-06T06:25:28.895324+00:00",
    "event_record_id": 98,
    "correlation": {},
    "execution": {
      "process_id": 500,
      "thread_id": 844
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "messageName": "RDSAppXPlugin"
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 33 — Plugin messageName failed to initialize, error code errorCode.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Plugin messageName failed to initialize, error code errorCode.

Message #

Plugin %1 failed to initialize, error code %2

Fields #

Name	Description
`messageName` UnicodeString	—
`errorCode` HexInt32	—

Event ID 34 — Remote Desktop Services is not accepting logons because setup is running.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)

Description

Remote Desktop Services is not accepting logons because setup is running.

Message #

Remote Desktop Services is not accepting logons because setup is running.

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 34,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2023-11-06T06:25:36.031054+00:00",
    "event_record_id": 106,
    "correlation": {},
    "execution": {
      "process_id": 500,
      "thread_id": 828
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 35 — The client process ID Param1 could not complete the session change notification event sent by the Remote Desktop service.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

The client process ID Param1 could not complete the session change notification event sent by the Remote Desktop service. The Remote Desktop service will not send any more session change notifications.

Message #

The client process ID %1 could not complete the session change notification event sent by the Remote Desktop service. The Remote Desktop service will not send any more session change notifications.

Fields #

Name	Description
`Param1` HexInt32	—

Event ID 36 — An error occurred when transitioning from StateName in response to EventName.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Error
Collection Priority: Recommended (Yamato Security)

Description

An error occurred when transitioning from StateName in response to EventName. (ErrorCode ErrorCode).

Message #

An error occurred when transitioning from %3 in response to %5. (ErrorCode %6)

Fields #

Name	Description
`SessionId` UInt32	—
`State` UInt32	—
`StateName` UnicodeString	—
`Event` UInt32	—
`EventName` UnicodeString	—
`ErrorCode` HexInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 36,
    "version": 0,
    "level": 2,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-11T03:44:33.193581+00:00",
    "event_record_id": 292,
    "correlation": {
      "ActivityID": "F420E753-C56A-42F2-970E-8E110D740000"
    },
    "execution": {
      "process_id": 1296,
      "thread_id": 2560
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "LAB-WIN11",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {
    "SessionId": 4294967295,
    "State": 0,
    "StateName": "Initialized",
    "Event": 1,
    "EventName": "EvCreated",
    "ErrorCode": "0xd00002fe"
  },
  "message": ""
}

Event ID 37 — Invalid state transition from StateName in response to EventName.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Invalid state transition from StateName in response to EventName. (ErrorCode ErrorCode).

Message #

Invalid state transition from %3 in response to %5. (ErrorCode %6)

Fields #

Name	Description
`SessionId` UInt32	—
`State` UInt32	—
`StateName` UnicodeString	—
`Event` UInt32	—
`EventName` UnicodeString	—
`ErrorCode` HexInt32	—

Event ID 38 — Transitioned successfully from PreviousStateName to NewStateName in response to EventName.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Description

Transitioned successfully from PreviousStateName to NewStateName in response to EventName.

Message #

Transitioned successfully from %3 to %5 in response to %7.

Fields #

Name	Description
`SessionId` UInt32	—
`PreviousState` UInt32	—
`PreviousStateName` UnicodeString	—
`NewState` UInt32	—
`NewStateName` UnicodeString	—
`Event` UInt32	—
`EventName` UnicodeString	—

Event ID 39 — Session EventXML.TargetSession has been disconnected by session EventXML.Source.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)

Description

Session EventXML.TargetSession has been disconnected by session EventXML.Source.

Message #

Session %1 has been disconnected by session %2

Fields #

Name	Description
`EventXML.TargetSession` UInt32	—
`EventXML.Source` UInt32	—
`TargetSession` UInt32	—
`Source` UInt32	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 39,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2026-03-09T00:30:16.216244+00:00",
    "event_record_id": 187,
    "correlation": {
      "ActivityID": "24F57002-F5E4-489C-B423-8C6CF136BD9B"
    },
    "execution": {
      "process_id": 1288,
      "thread_id": 3064
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "LAB-WIN11.ludus.domain",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "TargetSession": 1,
      "Source": 1
    }
  },
  "message": ""
}

Event ID 40 — Session 5 has been disconnected, reason code 12

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)

Description

Session has been disconnected, reason code.

Message #

Session %1 has been disconnected, reason code %2

Fields #

Name	Description
`EventXML.Session`	—
`EventXML.Reason`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 40,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2024-11-22T22:49:16.916898+00:00",
    "event_record_id": 2332,
    "correlation": {
      "ActivityID": "F42007FF-53B7-440F-9169-DEE2D7900000"
    },
    "execution": {
      "process_id": 896,
      "thread_id": 2060
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "EC2AMAZ-3NFFVNI",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "Session": 5,
      "Reason": 12
    }
  },
  "message": "Session 5 has been disconnected, reason code 12"
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 41 — Begin session arbitration.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)

Description

Begin session arbitration.

Message #

Begin session arbitration:

User: %1
Session ID: %2

Fields #

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 41,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2023-11-05T22:32:20.265097+00:00",
    "event_record_id": 126,
    "correlation": {
      "ActivityID": "61A55000-55E5-1017-0000-000000000000"
    },
    "execution": {
      "process_id": 484,
      "thread_id": 1336
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "User": "WINDEV2310EVAL\\User",
      "SessionID": 1
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 42 — End session arbitration.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)

Description

End session arbitration.

Message #

End session arbitration:

User: %1
Session ID: %2

Fields #

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 42,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2023-11-05T22:32:20.280655+00:00",
    "event_record_id": 127,
    "correlation": {
      "ActivityID": "61A55000-55E5-1017-0000-000000000000"
    },
    "execution": {
      "process_id": 484,
      "thread_id": 1336
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "User": "WINDEV2310EVAL\\User",
      "SessionID": 1
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 43 — Windows Subsystem has taken too long to process Connect event for session Session.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Windows Subsystem has taken too long to process Connect event for session Session.

Message #

Windows Subsystem has taken too long to process Connect event for session %1

Fields #

Name	Description
`Session` UInt32	—

Event ID 44 — Windows Subsystem has taken too long to process Disconnect event for session Session.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Windows Subsystem has taken too long to process Disconnect event for session Session.

Message #

Windows Subsystem has taken too long to process Disconnect event for session %1

Fields #

Name	Description
`Session` UInt32	—

Event ID 45 — Windows Subsystem has taken too long to process Terminate event for session Session.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Windows Subsystem has taken too long to process Terminate event for session Session.

Message #

Windows Subsystem has taken too long to process Terminate event for session %1

Fields #

Name	Description
`Session` UInt32	—

Event ID 48 — Remote Connection Manager has taken too long to process logon message for session Session.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Remote Connection Manager has taken too long to process logon message for session Session.

Message #

Remote Connection Manager has taken too long to process logon message for session %1

Fields #

Name	Description
`Session` UInt32	—

Event ID 49 — Remote Connection Manager has taken too long to prepare for session arbitration for session Session.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Remote Connection Manager has taken too long to prepare for session arbitration for session Session.

Message #

Remote Connection Manager has taken too long to prepare for session arbitration for session %1

Fields #

Name	Description
`Session` UInt32	—

Event ID 50 — Remote Connection Manager has taken too long to process begin-connect-message for session Session.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Remote Connection Manager has taken too long to process begin-connect-message for session Session.

Message #

Remote Connection Manager has taken too long to process begin-connect-message for session %1

Fields #

Name	Description
`Session` UInt32	—

Event ID 51 — Remote Connection Manager has taken too long to process end-connect-message for session Session.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Remote Connection Manager has taken too long to process end-connect-message for session Session.

Message #

Remote Connection Manager has taken too long to process end-connect-message for session %1

Fields #

Name	Description
`Session` UInt32	—

Event ID 52 — Remote Connection Manager has taken too long to process begin-disconnect-message for session Session.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Remote Connection Manager has taken too long to process begin-disconnect-message for session Session.

Message #

Remote Connection Manager has taken too long to process begin-disconnect-message for session %1

Fields #

Name	Description
`Session` UInt32	—

Event ID 53 — Remote Connection Manager has taken too long to process end-disconnect-message for session Session.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Remote Connection Manager has taken too long to process end-disconnect-message for session Session.

Message #

Remote Connection Manager has taken too long to process end-disconnect-message for session %1

Fields #

Name	Description
`Session` UInt32	—

Event ID 54 — Local multi-user session manager received system shutdown message

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)

Description

Local multi-user session manager received system shutdown message.

Message #

Local multi-user session manager received system shutdown message

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 54,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2023-11-06T06:23:40.047190+00:00",
    "event_record_id": 97,
    "correlation": {},
    "execution": {
      "process_id": 872,
      "thread_id": 1172
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "event_data": {},
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx

Event ID 55 — Remote Desktop Service has taken too long to start up

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Remote Desktop Service has taken too long to start up.

Message #

Remote Desktop Service has taken too long to start up

Event ID 56 — Remote Desktop Service has taken too long to shutdown

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Remote Desktop Service has taken too long to shutdown.

Message #

Remote Desktop Service has taken too long to shutdown

Event ID 57 — Session SessionID has started with Initial Command Process ID InitCmdPid and Windows Subsystem Process ID Win32kPid.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Description

Session SessionID has started with Initial Command Process ID InitCmdPid and Windows Subsystem Process ID Win32kPid.

Message #

Session %1 has started with Initial Command Process ID %2 and Windows Subsystem Process ID %3

Fields #

Name	Description
`SessionID` UInt32	—
`InitCmdPid` UInt32	—
`Win32kPid` UInt32	—

Event ID 58 — Session SessionID has started with Initial Command Process ID InitCmdPid (InitCmdName) and Windows Subsystem Process ID Win32kPid.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Debug

Description

Session SessionID has started with Initial Command Process ID InitCmdPid (InitCmdName) and Windows Subsystem Process ID Win32kPid.

Message #

Session %1 has started with Initial Command Process ID %2 (%4) and Windows Subsystem Process ID %3

Fields #

Name	Description
`SessionID` UInt32	—
`InitCmdPid` UInt32	—
`Win32kPid` UInt32	—
`InitCmdName` UnicodeString	—

Event ID 59 — Function from CallerImageName( #0xSessionId/0xClientProcessId ).

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Function from CallerImageName( #0xSessionId/0xClientProcessId ).

Message #

%1 from %2( #0x%3/0x%4 )

Fields #

Name	Description
`Function` AnsiString	—
`CallerImageName` UnicodeString	—
`SessionId` UInt32	—
`ClientProcessId` UInt32	—

Event ID 60 — Glass session SessionID has been reconnected to a remote protocol, this session can now only be reconnect locally or from same remote protocol.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Collection Priority: Recommended (Yamato Security)

Description

Glass session SessionID has been reconnected to a remote protocol, this session can now only be reconnect locally or from same remote protocol.

Message #

Glass session %1 has been reconnected to a remote protocol, this session can now only be reconnect locally or from same remote protocol

Fields #

Name	Description
`SessionID` UInt32	—

Microsoft-Windows-TerminalServices-LocalSessionManager

Event ID 2 — message.

Message #

Fields #

Event ID 3 — message.

Message #

Fields #

Event ID 4 — message.

Message #

Fields #

Event ID 5 — message.

Message #

Fields #

Event ID 6 — message.

Message #

Fields #

Event ID 7 — message.

Message #

Fields #

Event ID 8 — message.

Message #

Fields #

Event ID 9 — message.

Message #

Fields #

Event ID 10 —

Event ID 11 —

Event ID 16 — Local Multi-User session manager failed to start.

Description

Message #

Fields #

Event ID 17 — Remote Desktop Service start failed.

Description

Message #

Fields #

Example Event #

Event ID 18 — Remote Desktop Service is shutdown for unknown reason.

Description

Message #

Event ID 19 — Registering with Service Control Manager to monitor Remote Desktop Service status failed with Param1, retry in ten minutes.

Description

Message #

Fields #

Event ID 20 — Attempt to send messageName message to Windows video subsystem failed.

Description

Message #

Fields #

Event ID 21 — Remote Desktop Services: Session logon succeeded.

Description

Message #

Fields #

Example Event #

Community Notes #

Detection Rules #

Sigma # view in reference

Related Events #

References #

Event ID 22 — Remote Desktop Services: Shell start notification received.

Description

Message #

Fields #

Example Event #

References #

Event ID 23 — Remote Desktop Services: Session logoff succeeded.

Description

Message #

Fields #

Example Event #

Related Events #

References #

Event ID 24 — Remote Desktop Services: Session has been disconnected.

Description

Message #

Fields #

Example Event #

Related Events #

References #

Event ID 25 — Remote Desktop Services: Session reconnection succeeded.

Description

Message #