Event ID 41 — Begin session arbitration.

Provider: Microsoft-Windows-TerminalServices-LocalSessionManager
Channel: Operational
Level: Informational
Collection Priority: Recommended (Yamato Security)

Description

Begin session arbitration.

Message #

Begin session arbitration:

User: %1
Session ID: %2

Fields #

Name	Description
`EventXML.User`	—
`EventXML.SessionID`	—

Example Event #

{
  "system": {
    "provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
    "guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
    "event_source_name": "",
    "event_id": 41,
    "version": 0,
    "level": 4,
    "task": 0,
    "opcode": 0,
    "keywords": 1152921504606846976,
    "time_created": "2023-11-05T22:32:20.265097+00:00",
    "event_record_id": 126,
    "correlation": {
      "ActivityID": "61A55000-55E5-1017-0000-000000000000"
    },
    "execution": {
      "process_id": 484,
      "thread_id": 1336
    },
    "channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
    "computer": "WinDev2310Eval",
    "security": {
      "user_id": "S-1-5-18"
    }
  },
  "user_data": {
    "EventXML": {
      "User": "WINDEV2310EVAL\\User",
      "SessionID": 1
    }
  },
  "message": ""
}

References #

Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx