RDP Direct Connection with NLA RDS Session Host Event Logs
Summary:
This article is an contains windows events from session host machine for the Remote Desktop Protocol connection sequence for a direct connection (not through an RDS Gateway) to server machine. See parent articles [[articles:Remote Desktop Services RDS Logon Connectivity Overview]] and [[articles:RDP Direct Connection Process with NLA Enabled]] for additional information.
RDS session host event logs that contain relevant information:
Security
LOGON to license server
Time |
Event ID |
Event Level |
Details |
21:21:12.0 |
4648 |
Information |
A logon was attempted using explicit credentials.;;Subject:; Security ID: S-1-5-20; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E4; Logon GUID: {00000000-0000-0000-0000-000000000000};;Account Whose Credentials Were Used:; Account Name: ARA-RDS-2$; Account Domain: RDS-MS.LAB; Logon GUID: {D2F9E678-98B6-9723-1C03-304C6B874409};;Target Server:; Target Server Name: rds-lic-1.rds-ms.lab; Additional Information: HOST/rds-lic-1.rds-ms.lab;;Process Information:; Process ID: 0x728; Process Name: C:\Windows\System32\svchost.exe… |
21:21:13.2 |
4648 |
Information |
A logon was attempted using explicit credentials.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7; Logon GUID: {00000000-0000-0000-0000-000000000000};;Account Whose Credentials Were Used:; Account Name: DWM-3; Account Domain: Window Manager; Logon GUID: {00000000-0000-0000-0000-000000000000};;Target Server:; Target Server Name: localhost; Additional Information: localhost;;Process Information:; Process ID: 0x12c; Process Name: C:\Windows\System32\winlogon.exe… |
USER AUTHENTICATION:
Time |
Event ID |
Event Level |
Details |
21:21:14.3 |
4648 |
Information |
A logon was attempted using explicit credentials.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7; Logon GUID: {00000000-0000-0000-0000-000000000000};;Account Whose Credentials Were Used:; Account Name: up11; Account Domain: RDS-MS; Logon GUID: {2C4184E3-4AF9-4A56-B12C-EB5C997403D1};;Target Server:; Target Server Name: localhost; Additional Information: localhost;;Process Information:; Process ID: 0x12c; Process Name: C:\Windows\System32\winlogon.exe… |
21:21:14.3 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 10;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x9711BD; Logon GUID: {2C4184E3-4AF9-4A56-B12C-EB5C997403D1};;Process Information:; Process ID: 0x12c; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Workstation Name: ARA-RDS-2; Source Network Address: 10.0.0.13; Source Port: 0… |
DISCONNECT:
Time |
Event ID |
Event Level |
Details |
21:22:13.8 |
4647 |
Information |
User initiated logoff:;;Subject:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x9711BD;;This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. |
21:22:15.0 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-90-3; Account Name: DWM-3; Account Domain: Window Manager; Logon ID: 0x96F4A2;;Logon Type: 2;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
21:22:15.0 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-90-3; Account Name: DWM-3; Account Domain: Window Manager; Logon ID: 0x96F491;;Logon Type: 2;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
21:22:15.2 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x96D9EC;;Logon Type: 3;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
RECONNECT:
Time |
Event ID |
Event Level |
Details |
21:23:11.9 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-0-0; Account Name: -; Account Domain: -; Logon ID: 0x0;;Logon Type: 3;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS… |
21:23:12.2 |
5058 |
Information |
Key file operation.;;Subject:; Security ID: S-1-5-20; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E4;;Cryptographic Parameters:; Provider Name: Microsoft Software Key Storage Provider; Algorithm Name: UNKNOWN; Key Name: TSSecKeySet1; Key Type: Machine key.;;Key File Operation Information:; File Path: C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys\f686... |
21:23:12.2 |
5061 |
Information |
Cryptographic operation.;;Subject:; Security ID: S-1-5-20; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E4;;Cryptographic Parameters:; Provider Name: Microsoft Software Key Storage Provider; Algorithm Name: RSA; Key Name: TSSecKeySet1;... |
21:23:14.8 |
4648 |
Information |
A logon was attempted using explicit credentials.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7; Logon GUID: {00000000-0000-0000-0000-000000000000};;Account Whose Credentials Were Used:; Account Name: up11; Account Domain: RDS-MS; Logon GUID: {0A34EE6E-76A0-607E-07C3-681FAE4C7D4A};;Target Server:; Target Server Name: localhost; Additional Information: localhost;;Process Information:; Process ID: 0xe00; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Network Address: 10.0.0.13... |
21:23:14.8 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 10;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS… |
LOGOFF:
Time |
Event ID |
Event Level |
Details |
21:24:20.9 |
4647 |
Information |
User initiated logoff:;;Subject:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x9A3270;;This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. |
21:24:21.9 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-90-4; Account Name: DWM-4; Account Domain: Window Manager; Logon ID: 0x9A1580;;Logon Type: 2;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
21:24:21.9 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-90-4; Account Name: DWM-4; Account Domain: Window Manager; Logon ID: 0x9A156D;;Logon Type: 2;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
21:24:21.9 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x99FA8F;;Logon Type: 3;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
Microsoft-Windows-TerminalServices-RemoteConnectionManager-Operational
Time |
Event ID |
Event Level |
Details |
21:21:05.6 |
261 |
Information |
Listener RDP-Tcp received a connection |
21:21:11.8 |
1149 |
Information |
Remote Desktop Services: User authentication succeeded:;;User: up11;Domain: rds-ms;Source Network Address: 10.0.0.13 |
21:23:05.8 |
261 |
Information |
Listener RDP-Tcp received a connection |
21:23:11.9 |
1149 |
Information |
Remote Desktop Services: User authentication succeeded:;;User: up11;Domain: rds-ms;Source Network Address: 10.0.0.13 |
Microsoft-Windows-TerminalServices-LocalSessionManager-Operational
Time |
Event ID |
Event Level |
Details |
21:21:14.4 |
41 |
Information |
Begin session arbitration:;;User: RDS-MS\up11;Session ID: 3 |
21:21:14.8 |
42 |
Information |
End session arbitration:;;User: RDS-MS\up11;Session ID: 3 |
21:21:22.1 |
21 |
Information |
Remote Desktop Services: Session logon succeeded:;;User: RDS-MS\up11;Session ID: 3;Source Network Address: 10.0.0.13 |
21:21:22.7 |
22 |
Information |
Remote Desktop Services: Shell start notification received:;;User: RDS-MS\up11;Session ID: 3;Source Network Address: 10.0.0.13 |
21:22:13.8 |
23 |
Information |
Remote Desktop Services: Session logoff succeeded:;;User: RDS-MS\up11;Session ID: 3 |
21:22:15.0 |
40 |
Information |
Session 3 has been disconnected, reason code 12 |
21:22:15.1 |
24 |
Information |
Remote Desktop Services: Session has been disconnected:;;User: RDS-MS\up11;Session ID: 3;Source Network Address: 10.0.0.13 |
21:23:14.9 |
41 |
Information |
Begin session arbitration:;;User: RDS-MS\up11;Session ID: 4 |
21:23:15.2 |
42 |
Information |
End session arbitration:;;User: RDS-MS\up11;Session ID: 4 |
21:23:16.2 |
21 |
Information |
Remote Desktop Services: Session logon succeeded:;;User: RDS-MS\up11;Session ID: 4;Source Network Address: 10.0.0.13 |
21:23:18.3 |
22 |
Information |
Remote Desktop Services: Shell start notification received:;;User: RDS-MS\up11;Session ID: 4;Source Network Address: 10.0.0.13 |
21:24:21.0 |
23 |
Information |
Remote Desktop Services: Session logoff succeeded:;;User: RDS-MS\up11;Session ID: 4 |
21:24:21.9 |
40 |
Information |
Session 4 has been disconnected, reason code 12 |
21:24:21.9 |
24 |
Information |
Remote Desktop Services: Session has been disconnected:;;User: RDS-MS\up11;Session ID: 4;Source Network Address: 10.0.0.13 |
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS-Operational
Time |
Event ID |
Event Level |
Details |
21:21:05.6 |
131 |
Information |
The server accepted a new TCP connection from client 10.0.0.13:49964. |
21:21:05.6 |
65 |
Information |
Connection RDP-Tcp#14 created |
21:21:05.6 |
141 |
Information |
PerfCounter session started with instance ID 14 |
21:21:11.8 |
101 |
Warning |
The network characteristics detection function has been disabled because of Reason Code: 2(Server Configuration).. |
21:21:11.8 |
132 |
Information |
A channel rdplic has been connected between the server and the client using transport tunnel: 0. |
21:21:11.8 |
132 |
Information |
A channel rdpcmd has been connected between the server and the client using transport tunnel: 0. |
21:21:11.8 |
98 |
Information |
A TCP connection has been successfully established. |
21:21:11.8 |
100 |
Information |
The server has confirmed that the client's multi-transport capability. |
21:21:11.8 |
130 |
Information |
The server has initiated a multi-transport request to the client, for tunnel: 1. |
21:21:11.8 |
130 |
Information |
The server has initiated a multi-transport request to the client, for tunnel: 3. |
21:21:11.9 |
131 |
Information |
The server accepted a new UDP connection from client [10.0.0.13]:56532. |
21:21:11.9 |
131 |
Information |
The server accepted a new UDP connection from client [10.0.0.13]:56533. |
21:21:12.1 |
66 |
Information |
The connection RDP-Tcp#14 was assigned to session 3 |
21:21:12.1 |
132 |
Information |
A channel rdpgrfx has been connected between the server and the client using transport tunnel: 0. |
21:21:12.1 |
33 |
Information |
Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer. |
21:21:12.1 |
132 |
Information |
A channel rdpinpt has been connected between the server and the client using transport tunnel: 0. |
21:21:12.1 |
135 |
Information |
The multi-transport connection finished for tunnel: 1, its transport type set to UDP. |
21:21:12.1 |
135 |
Information |
The multi-transport connection finished for tunnel: 3, its transport type set to TCP: Reason Code: 5 (Unknown). |
21:21:12.1 |
169 |
Information |
The client operating system type is (1, 3). |
21:21:12.1 |
135 |
Information |
The multi-transport connection finished for tunnel: 1, its transport type set to UDP. |
21:21:12.1 |
132 |
Information |
A channel Microsoft::Windows::RDS::Telemetry has been connected between the server and the client using transport tunnel: 1. |
21:21:12.2 |
135 |
Information |
The multi-transport connection finished for tunnel: 3, its transport type set to UDP. |
21:21:12.2 |
132 |
Information |
A channel Microsoft::Windows::RDS::Graphics has been connected between the server and the client using transport tunnel: 1. |
21:21:12.5 |
162 |
Information |
The client supports version 0x80105 of the RDP graphics protocol, client mode: 0, H264 enabled: 0 |
21:21:12.5 |
166 |
Information |
The RemoteFX Adaptive Graphics internal configuration changed to optimize for the minimum use of network bandwidth. |
21:21:12.5 |
132 |
Information |
A channel Microsoft::Windows::RDS::Video::Control::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:21:12.5 |
132 |
Information |
A channel Microsoft::Windows::RDS::Video::Data::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:21:12.5 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:21:12.9 |
168 |
Information |
The resolution requested by the client: Monitor 0: (1414, 1003), origin: (0, 0). |
21:21:13.4 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:13.7 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:13.8 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:13.8 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:14.1 |
132 |
Information |
A channel rdpdr has been connected between the server and the client using transport tunnel: 1. |
21:21:14.1 |
132 |
Information |
A channel AUDIO_PLAYBACK_DVC has been connected between the server and the client using transport tunnel: 1. |
21:21:14.1 |
132 |
Information |
A channel AUDIO_PLAYBACK_LOSSY_DVC has been connected between the server and the client using transport tunnel: 3. |
21:21:20.4 |
68 |
Information |
TMT: ConnectionName=RDP-Tcp#14, PromptForCredentials=453, PromptForCredentialsDone=6313, GfxChannelOpened=7297, FirstGraphicsReceived=15282 [ms] |
21:21:22.3 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:21:22.3 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:22.3 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:22.3 |
132 |
Information |
A channel Microsoft::Windows::RDS::Input has been connected between the server and the client using transport tunnel: 1. |
21:21:22.4 |
132 |
Information |
A channel Microsoft::Windows::RDS::DisplayControl has been connected between the server and the client using transport tunnel: 1. |
21:21:22.5 |
132 |
Information |
A channel PNPDR has been connected between the server and the client using transport tunnel: 1. |
21:21:22.6 |
132 |
Information |
A channel URBDRC has been connected between the server and the client using transport tunnel: 1. |
21:21:22.7 |
132 |
Information |
A channel cliprdr has been connected between the server and the client using transport tunnel: 1. |
21:21:25.5 |
132 |
Information |
A channel XPSRD has been connected between the server and the client using transport tunnel: 1. |
21:22:12.7 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:22:13.8 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:22:15.1 |
103 |
Information |
The disconnect reason is 12 |
21:22:15.2 |
102 |
Information |
The server has terminated main RDP connection with the client. |
21:23:05.8 |
131 |
Information |
The server accepted a new TCP connection from client 10.0.0.13:49972. |
21:23:05.8 |
65 |
Information |
Connection RDP-Tcp#15 created |
21:23:05.8 |
141 |
Information |
PerfCounter session started with instance ID 15 |
21:23:11.9 |
101 |
Warning |
The network characteristics detection function has been disabled because of Reason Code: 2(Server Configuration).. |
21:23:11.9 |
132 |
Information |
A channel rdplic has been connected between the server and the client using transport tunnel: 0. |
21:23:11.9 |
132 |
Information |
A channel rdpcmd has been connected between the server and the client using transport tunnel: 0. |
21:23:12.0 |
98 |
Information |
A TCP connection has been successfully established. |
21:23:12.0 |
100 |
Information |
The server has confirmed that the client's multi-transport capability. |
21:23:12.0 |
130 |
Information |
The server has initiated a multi-transport request to the client, for tunnel: 1. |
21:23:12.0 |
130 |
Information |
The server has initiated a multi-transport request to the client, for tunnel: 3. |
21:23:12.1 |
131 |
Information |
The server accepted a new UDP connection from client [10.0.0.13]:51187. |
21:23:12.1 |
131 |
Information |
The server accepted a new UDP connection from client [10.0.0.13]:51188. |
21:23:12.1 |
66 |
Information |
The connection RDP-Tcp#15 was assigned to session 4 |
21:23:12.1 |
33 |
Information |
Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer. |
21:23:12.1 |
132 |
Information |
A channel rdpgrfx has been connected between the server and the client using transport tunnel: 0. |
21:23:12.2 |
132 |
Information |
A channel rdpinpt has been connected between the server and the client using transport tunnel: 0. |
21:23:12.2 |
135 |
Information |
The multi-transport connection finished for tunnel: 1, its transport type set to TCP: Reason Code: 5 (Unknown). |
21:23:12.2 |
135 |
Information |
The multi-transport connection finished for tunnel: 3, its transport type set to TCP: Reason Code: 5 (Unknown). |
21:23:12.2 |
169 |
Information |
The client operating system type is (1, 3). |
21:23:12.2 |
135 |
Information |
The multi-transport connection finished for tunnel: 1, its transport type set to UDP. |
21:23:12.2 |
132 |
Information |
A channel Microsoft::Windows::RDS::Telemetry has been connected between the server and the client using transport tunnel: 1. |
21:23:12.3 |
132 |
Information |
A channel Microsoft::Windows::RDS::Graphics has been connected between the server and the client using transport tunnel: 1. |
21:23:12.7 |
162 |
Information |
The client supports version 0x80105 of the RDP graphics protocol, client mode: 0, H264 enabled: 0 |
21:23:12.7 |
166 |
Information |
The RemoteFX Adaptive Graphics internal configuration changed to optimize for the minimum use of network bandwidth. |
21:23:12.9 |
135 |
Information |
The multi-transport connection finished for tunnel: 3, its transport type set to UDP. |
21:23:12.9 |
168 |
Information |
The resolution requested by the client: Monitor 0: (1414, 1003), origin: (0, 0). |
21:23:12.9 |
132 |
Information |
A channel Microsoft::Windows::RDS::Video::Control::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:23:12.9 |
132 |
Information |
A channel Microsoft::Windows::RDS::Video::Data::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:23:12.9 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:23:13.3 |
68 |
Information |
TMT: ConnectionName=RDP-Tcp#15, PromptForCredentials=219, PromptForCredentialsDone=5922, GfxChannelOpened=7032, FirstGraphicsReceived=7532 [ms] |
21:23:13.7 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:13.8 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:13.9 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:14.1 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:14.7 |
132 |
Information |
A channel rdpdr has been connected between the server and the client using transport tunnel: 1. |
21:23:14.7 |
132 |
Information |
A channel AUDIO_PLAYBACK_DVC has been connected between the server and the client using transport tunnel: 1. |
21:23:14.7 |
132 |
Information |
A channel AUDIO_PLAYBACK_LOSSY_DVC has been connected between the server and the client using transport tunnel: 3. |
21:23:16.3 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:23:16.3 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:16.9 |
132 |
Information |
A channel PNPDR has been connected between the server and the client using transport tunnel: 1. |
21:23:16.9 |
132 |
Information |
A channel Microsoft::Windows::RDS::Input has been connected between the server and the client using transport tunnel: 1. |
21:23:17.0 |
132 |
Information |
A channel Microsoft::Windows::RDS::DisplayControl has been connected between the server and the client using transport tunnel: 1. |
21:23:17.0 |
132 |
Information |
A channel URBDRC has been connected between the server and the client using transport tunnel: 1. |
21:23:17.1 |
132 |
Information |
A channel cliprdr has been connected between the server and the client using transport tunnel: 1. |
21:23:17.7 |
132 |
Information |
A channel XPSRD has been connected between the server and the client using transport tunnel: 1. |
21:24:20.4 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:24:20.9 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:24:21.9 |
103 |
Information |
The disconnect reason is 12 |
21:24:21.9 |
102 |
Information |
The server has terminated main RDP connection with the client. |
RDS session host event log merge:
LOGON:
Time |
Event ID |
Event Level |
Details |
21:21:05.6 |
131 |
Information |
The server accepted a new TCP connection from client 10.0.0.13:49964. |
21:21:05.6 |
65 |
Information |
Connection RDP-Tcp#14 created |
21:21:05.6 |
141 |
Information |
PerfCounter session started with instance ID 14 |
21:21:05.6 |
261 |
Information |
Listener RDP-Tcp received a connection |
21:21:11.7 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-0-0; Account Name: -; Account Domain: -; Logon ID: 0x0;;Logon Type: 3;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x96D9EC; Logon GUID: {1935543E-47DA-E818-0015-C4AB5D2AF1E2};;Process Information:; Process ID: 0x0; Process Name: -;;Network Information:; Workstation Name: ; Source Network Address: -; Source Port: -;;Detailed Authentication Information:; Logon Process: Kerberos… |
21:21:11.8 |
101 |
Warning |
The network characteristics detection function has been disabled because of Reason Code: 2(Server Configuration).. |
21:21:11.8 |
132 |
Information |
A channel rdplic has been connected between the server and the client using transport tunnel: 0. |
21:21:11.8 |
132 |
Information |
A channel rdpcmd has been connected between the server and the client using transport tunnel: 0. |
21:21:11.8 |
1149 |
Information |
Remote Desktop Services: User authentication succeeded:;;User: up11;Domain: rds-ms;Source Network Address: 10.0.0.13 |
21:21:11.8 |
98 |
Information |
A TCP connection has been successfully established. |
21:21:11.8 |
100 |
Information |
The server has confirmed that the client's multi-transport capability. |
21:21:11.8 |
130 |
Information |
The server has initiated a multi-transport request to the client, for tunnel: 1. |
21:21:11.8 |
130 |
Information |
The server has initiated a multi-transport request to the client, for tunnel: 3. |
21:21:11.9 |
131 |
Information |
The server accepted a new UDP connection from client [10.0.0.13]:56532. |
21:21:11.9 |
131 |
Information |
The server accepted a new UDP connection from client [10.0.0.13]:56533. |
21:21:12.0 |
4648 |
Information |
A logon was attempted using explicit credentials.;;Subject:; Security ID: S-1-5-20; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E4; Logon GUID: {00000000-0000-0000-0000-000000000000};;Account Whose Credentials Were Used:; Account Name: ARA-RDS-2$; Account Domain: RDS-MS.LAB; Logon GUID: {D2F9E678-98B6-9723-1C03-304C6B874409};;Target Server:; Target Server Name: rds-lic-1.rds-ms.lab; Additional Information: HOST/rds-lic-1.rds-ms.lab;;Process Information:; Process ID: 0x728; Process Name: C:\Windows\System32\svchost.exe… |
21:21:12.1 |
66 |
Information |
The connection RDP-Tcp#14 was assigned to session 3 |
21:21:12.1 |
132 |
Information |
A channel rdpgrfx has been connected between the server and the client using transport tunnel: 0. |
21:21:12.1 |
33 |
Information |
Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer. |
21:21:12.1 |
132 |
Information |
A channel rdpinpt has been connected between the server and the client using transport tunnel: 0. |
21:21:12.1 |
135 |
Information |
The multi-transport connection finished for tunnel: 1, its transport type set to UDP. |
21:21:12.1 |
135 |
Information |
The multi-transport connection finished for tunnel: 3, its transport type set to TCP: Reason Code: 5 (Unknown). |
21:21:12.1 |
169 |
Information |
The client operating system type is (1, 3). |
21:21:12.1 |
135 |
Information |
The multi-transport connection finished for tunnel: 1, its transport type set to UDP. |
21:21:12.1 |
132 |
Information |
A channel Microsoft::Windows::RDS::Telemetry has been connected between the server and the client using transport tunnel: 1. |
21:21:12.2 |
135 |
Information |
The multi-transport connection finished for tunnel: 3, its transport type set to UDP. |
21:21:12.2 |
132 |
Information |
A channel Microsoft::Windows::RDS::Graphics has been connected between the server and the client using transport tunnel: 1. |
21:21:12.5 |
162 |
Information |
The client supports version 0x80105 of the RDP graphics protocol, client mode: 0, H264 enabled: 0 |
21:21:12.5 |
166 |
Information |
The RemoteFX Adaptive Graphics internal configuration changed to optimize for the minimum use of network bandwidth. |
21:21:12.5 |
132 |
Information |
A channel Microsoft::Windows::RDS::Video::Control::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:21:12.5 |
132 |
Information |
A channel Microsoft::Windows::RDS::Video::Data::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:21:12.5 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:21:12.9 |
168 |
Information |
The resolution requested by the client: Monitor 0: (1414, 1003), origin: (0, 0). |
21:21:13.2 |
4648 |
Information |
A logon was attempted using explicit credentials.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7; Logon GUID: {00000000-0000-0000-0000-000000000000};;Account Whose Credentials Were Used:; Account Name: DWM-3; Account Domain: Window Manager; Logon GUID: {00000000-0000-0000-0000-000000000000};;Target Server:; Target Server Name: localhost; Additional Information: localhost;;Process Information:; Process ID: 0x12c; Process Name: C:\Windows\System32\winlogon.exe… |
21:21:13.2 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 2;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-90-3; Account Name: DWM-3; Account Domain: Window Manager; Logon ID: 0x96F491; Logon GUID: {00000000-0000-0000-0000-000000000000};;Process Information:; Process ID: 0x12c; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Workstation Name: ; Source Network Address: -; Source Port: -;;Detailed Authentication Information:; Logon Process: Advapi… |
21:21:13.2 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 2;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-90-3; Account Name: DWM-3; Account Domain: Window Manager; Logon ID: 0x96F4A2; Logon GUID: {00000000-0000-0000-0000-000000000000};;Process Information:; Process ID: 0x12c; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Workstation Name: ; Source Network Address: -; Source Port: -;;Detailed Authentication Information:; Logon Process: Advapi… |
21:21:13.4 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:13.7 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:13.8 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:13.8 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:14.1 |
132 |
Information |
A channel rdpdr has been connected between the server and the client using transport tunnel: 1. |
21:21:14.1 |
132 |
Information |
A channel AUDIO_PLAYBACK_DVC has been connected between the server and the client using transport tunnel: 1. |
21:21:14.1 |
132 |
Information |
A channel AUDIO_PLAYBACK_LOSSY_DVC has been connected between the server and the client using transport tunnel: 3. |
21:21:14.3 |
4648 |
Information |
A logon was attempted using explicit credentials.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7; Logon GUID: {00000000-0000-0000-0000-000000000000};;Account Whose Credentials Were Used:; Account Name: up11; Account Domain: RDS-MS; Logon GUID: {2C4184E3-4AF9-4A56-B12C-EB5C997403D1};;Target Server:; Target Server Name: localhost; Additional Information: localhost;;Process Information:; Process ID: 0x12c; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Network Address: 10.0.0.13… |
21:21:14.3 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 10;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x9711BD; Logon GUID: {2C4184E3-4AF9-4A56-B12C-EB5C997403D1};;Process Information:; Process ID: 0x12c; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Workstation Name: ARA-RDS-2; Source Network Address: 10.0.0.13… |
21:21:14.4 |
41 |
Information |
Begin session arbitration:;;User: RDS-MS\up11;Session ID: 3 |
21:21:14.8 |
42 |
Information |
End session arbitration:;;User: RDS-MS\up11;Session ID: 3 |
21:21:20.4 |
68 |
Information |
TMT: ConnectionName=RDP-Tcp#14, PromptForCredentials=453, PromptForCredentialsDone=6313, GfxChannelOpened=7297, FirstGraphicsReceived=15282 [ms] |
21:21:22.1 |
21 |
Information |
Remote Desktop Services: Session logon succeeded:;;User: RDS-MS\up11;Session ID: 3;Source Network Address: 10.0.0.13 |
21:21:22.3 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:21:22.3 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:22.3 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:21:22.3 |
132 |
Information |
A channel Microsoft::Windows::RDS::Input has been connected between the server and the client using transport tunnel: 1. |
21:21:22.4 |
132 |
Information |
A channel Microsoft::Windows::RDS::DisplayControl has been connected between the server and the client using transport tunnel: 1. |
21:21:22.5 |
132 |
Information |
A channel PNPDR has been connected between the server and the client using transport tunnel: 1. |
21:21:22.6 |
132 |
Information |
A channel URBDRC has been connected between the server and the client using transport tunnel: 1. |
21:21:22.7 |
132 |
Information |
A channel cliprdr has been connected between the server and the client using transport tunnel: 1. |
21:21:22.7 |
22 |
Information |
Remote Desktop Services: Shell start notification received:;;User: RDS-MS\up11;Session ID: 3;Source Network Address: 10.0.0.13 |
21:21:23.7 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 5;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-18; Account Name: SYSTEM; Account Domain: NT AUTHORITY; Logon ID: 0x3E7; Logon GUID: {00000000-0000-0000-0000-000000000000};;Process Information:; Process ID: 0x21c; Process Name: C:\Windows\System32\services.exe;;Network Information:; Workstation Name: ; Source Network Address: -; Source Port: -;;Detailed Authentication Information:; Logon Process: Advapi… |
21:21:25.5 |
132 |
Information |
A channel XPSRD has been connected between the server and the client using transport tunnel: 1. |
21:21:26.0 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 5;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-18; Account Name: SYSTEM; Account Domain: NT AUTHORITY; Logon ID: 0x3E7; Logon GUID: {00000000-0000-0000-0000-000000000000};;Process Information:; Process ID: 0x21c; Process Name: C:\Windows\System32\services.exe;;Network Information:; Workstation Name: ; Source Network Address: -; Source Port: -;;Detailed Authentication Information:; Logon Process: Advapi… |
DISCONNECT:
Time |
Event ID |
Event Level |
Details |
21:22:12.7 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:22:13.8 |
4647 |
Information |
User initiated logoff:;;Subject:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x9711BD;;This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. |
21:22:13.8 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:22:13.8 |
23 |
Information |
Remote Desktop Services: Session logoff succeeded:;;User: RDS-MS\up11;Session ID: 3 |
21:22:15.0 |
40 |
Information |
Session 3 has been disconnected, reason code 12 |
21:22:15.0 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-90-3; Account Name: DWM-3; Account Domain: Window Manager; Logon ID: 0x96F4A2;;Logon Type: 2;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
21:22:15.0 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-90-3; Account Name: DWM-3; Account Domain: Window Manager; Logon ID: 0x96F491;;Logon Type: 2;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
21:22:15.1 |
103 |
Information |
The disconnect reason is 12 |
21:22:15.1 |
24 |
Information |
Remote Desktop Services: Session has been disconnected:;;User: RDS-MS\up11;Session ID: 3;Source Network Address: 10.0.0.13 |
21:22:15.2 |
102 |
Information |
The server has terminated main RDP connection with the client. |
21:22:15.2 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x96D9EC;;Logon Type: 3;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
RECONNECT:
Time |
Event ID |
Event Level |
Details |
21:23:05.8 |
131 |
Information |
The server accepted a new TCP connection from client 10.0.0.13:49972. |
21:23:05.8 |
65 |
Information |
Connection RDP-Tcp#15 created |
21:23:05.8 |
141 |
Information |
PerfCounter session started with instance ID 15 |
21:23:05.8 |
261 |
Information |
Listener RDP-Tcp received a connection |
21:23:11.9 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-0-0; Account Name: -; Account Domain: -; Logon ID: 0x0;;Logon Type: 3;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x99FA8F; Logon GUID: {DC877E93-83F4-8C30-BE3E-B68FD953A2EF};;Process Information:; Process ID: 0x0; Process Name: -;;Network Information:; Workstation Name: ; Source Network Address: -; Source Port: -;;Detailed Authentication Information:; Logon Process: Kerberos;… |
21:23:11.9 |
101 |
Warning |
The network characteristics detection function has been disabled because of Reason Code: 2(Server Configuration).. |
21:23:11.9 |
132 |
Information |
A channel rdplic has been connected between the server and the client using transport tunnel: 0. |
21:23:11.9 |
132 |
Information |
A channel rdpcmd has been connected between the server and the client using transport tunnel: 0. |
21:23:11.9 |
1149 |
Information |
Remote Desktop Services: User authentication succeeded:;;User: up11;Domain: rds-ms;Source Network Address: 10.0.0.13 |
21:23:12.0 |
98 |
Information |
A TCP connection has been successfully established. |
21:23:12.0 |
100 |
Information |
The server has confirmed that the client's multi-transport capability. |
21:23:12.0 |
130 |
Information |
The server has initiated a multi-transport request to the client, for tunnel: 1. |
21:23:12.0 |
130 |
Information |
The server has initiated a multi-transport request to the client, for tunnel: 3. |
21:23:12.1 |
131 |
Information |
The server accepted a new UDP connection from client [10.0.0.13]:51187. |
21:23:12.1 |
131 |
Information |
The server accepted a new UDP connection from client [10.0.0.13]:51188. |
21:23:12.1 |
66 |
Information |
The connection RDP-Tcp#15 was assigned to session 4 |
21:23:12.1 |
33 |
Information |
Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer. |
21:23:12.1 |
132 |
Information |
A channel rdpgrfx has been connected between the server and the client using transport tunnel: 0. |
21:23:12.2 |
132 |
Information |
A channel rdpinpt has been connected between the server and the client using transport tunnel: 0. |
21:23:12.2 |
135 |
Information |
The multi-transport connection finished for tunnel: 1, its transport type set to TCP: Reason Code: 5 (Unknown). |
21:23:12.2 |
135 |
Information |
The multi-transport connection finished for tunnel: 3, its transport type set to TCP: Reason Code: 5 (Unknown). |
21:23:12.2 |
169 |
Information |
The client operating system type is (1, 3). |
21:23:12.2 |
135 |
Information |
The multi-transport connection finished for tunnel: 1, its transport type set to UDP. |
21:23:12.2 |
132 |
Information |
A channel Microsoft::Windows::RDS::Telemetry has been connected between the server and the client using transport tunnel: 1. |
21:23:12.3 |
132 |
Information |
A channel Microsoft::Windows::RDS::Graphics has been connected between the server and the client using transport tunnel: 1. |
21:23:12.7 |
162 |
Information |
The client supports version 0x80105 of the RDP graphics protocol, client mode: 0, H264 enabled: 0 |
21:23:12.7 |
166 |
Information |
The RemoteFX Adaptive Graphics internal configuration changed to optimize for the minimum use of network bandwidth. |
21:23:12.9 |
135 |
Information |
The multi-transport connection finished for tunnel: 3, its transport type set to UDP. |
21:23:12.9 |
168 |
Information |
The resolution requested by the client: Monitor 0: (1414, 1003), origin: (0, 0). |
21:23:12.9 |
132 |
Information |
A channel Microsoft::Windows::RDS::Video::Control::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:23:12.9 |
132 |
Information |
A channel Microsoft::Windows::RDS::Video::Data::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:23:12.9 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:23:13.3 |
68 |
Information |
TMT: ConnectionName=RDP-Tcp#15, PromptForCredentials=219, PromptForCredentialsDone=5922, GfxChannelOpened=7032, FirstGraphicsReceived=7532 [ms] |
21:23:13.6 |
4648 |
Information |
A logon was attempted using explicit credentials.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7; Logon GUID: {00000000-0000-0000-0000-000000000000};;Account Whose Credentials Were Used:; Account Name: DWM-4; Account Domain: Window Manager; Logon GUID: {00000000-0000-0000-0000-000000000000};;Target Server:; Target Server Name: localhost; Additional Information: localhost;;Process Information:; Process ID: 0xe00; Process Name: C:\Windows\System32\winlogon.exe… |
21:23:13.6 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 2;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-90-4; Account Name: DWM-4; Account Domain: Window Manager; Logon ID: 0x9A156D; Logon GUID: {00000000-0000-0000-0000-000000000000};;Process Information:; Process ID: 0xe00; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Workstation Name: ; Source Network Address: -; Source Port: -;;Detailed Authentication Information:; Logon Process: Advapi… |
21:23:13.6 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 2;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-90-4; Account Name: DWM-4; Account Domain: Window Manager; Logon ID: 0x9A1580; Logon GUID: {00000000-0000-0000-0000-000000000000};;Process Information:; Process ID: 0xe00; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Workstation Name: ; Source Network Address: -; Source Port: -;;Detailed Authentication Information:; Logon Process: Advapi… |
21:23:13.7 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:13.8 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:13.9 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:14.1 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:14.7 |
132 |
Information |
A channel rdpdr has been connected between the server and the client using transport tunnel: 1. |
21:23:14.7 |
132 |
Information |
A channel AUDIO_PLAYBACK_DVC has been connected between the server and the client using transport tunnel: 1. |
21:23:14.7 |
132 |
Information |
A channel AUDIO_PLAYBACK_LOSSY_DVC has been connected between the server and the client using transport tunnel: 3. |
21:23:14.8 |
4648 |
Information |
A logon was attempted using explicit credentials.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7; Logon GUID: {00000000-0000-0000-0000-000000000000};;Account Whose Credentials Were Used:; Account Name: up11; Account Domain: RDS-MS; Logon GUID: {0A34EE6E-76A0-607E-07C3-681FAE4C7D4A};;Target Server:; Target Server Name: localhost; Additional Information: localhost;;Process Information:; Process ID: 0xe00; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Network Address: 10.0.0.13… |
21:23:14.8 |
4624 |
Information |
An account was successfully logged on.;;Subject:; Security ID: S-1-5-18; Account Name: ARA-RDS-2$; Account Domain: RDS-MS; Logon ID: 0x3E7;;Logon Type: 10;;Impersonation Level: Impersonation;;New Logon:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x9A3270; Logon GUID: {0A34EE6E-76A0-607E-07C3-681FAE4C7D4A};;Process Information:; Process ID: 0xe00; Process Name: C:\Windows\System32\winlogon.exe;;Network Information:; Workstation Name: ARA-RDS-2; Source Network Address: 10.0.0.13… |
21:23:14.9 |
41 |
Information |
Begin session arbitration:;;User: RDS-MS\up11;Session ID: 4 |
21:23:15.2 |
42 |
Information |
End session arbitration:;;User: RDS-MS\up11;Session ID: 4 |
21:23:16.2 |
21 |
Information |
Remote Desktop Services: Session logon succeeded:;;User: RDS-MS\up11;Session ID: 4;Source Network Address: 10.0.0.13 |
21:23:16.3 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:23:16.3 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:23:16.9 |
132 |
Information |
A channel PNPDR has been connected between the server and the client using transport tunnel: 1. |
21:23:16.9 |
132 |
Information |
A channel Microsoft::Windows::RDS::Input has been connected between the server and the client using transport tunnel: 1. |
21:23:17.0 |
132 |
Information |
A channel Microsoft::Windows::RDS::DisplayControl has been connected between the server and the client using transport tunnel: 1. |
21:23:17.0 |
132 |
Information |
A channel URBDRC has been connected between the server and the client using transport tunnel: 1. |
21:23:17.1 |
132 |
Information |
A channel cliprdr has been connected between the server and the client using transport tunnel: 1. |
21:23:17.7 |
132 |
Information |
A channel XPSRD has been connected between the server and the client using transport tunnel: 1. |
21:23:18.3 |
22 |
Information |
Remote Desktop Services: Shell start notification received:;;User: RDS-MS\up11;Session ID: 4;Source Network Address: 10.0.0.13 |
LOGOFF:
Time |
Event ID |
Event Level |
Details |
21:24:20.4 |
132 |
Information |
A channel Microsoft::Windows::RDS::Geometry::v08.01 has been connected between the server and the client using transport tunnel: 1. |
21:24:20.9 |
4647 |
Information |
User initiated logoff:;;Subject:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x9A3270;;This event is generated when a logoff is initiated. No further user-initiated activity can occur. This event can be interpreted as a logoff event. |
21:24:20.9 |
258 |
Information |
The connection is not using advanced RemoteFX RemoteApp graphics |
21:24:21.0 |
23 |
Information |
Remote Desktop Services: Session logoff succeeded:;;User: RDS-MS\up11;Session ID: 4 |
21:24:21.9 |
40 |
Information |
Session 4 has been disconnected, reason code 12 |
21:24:21.9 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-90-4; Account Name: DWM-4; Account Domain: Window Manager; Logon ID: 0x9A1580;;Logon Type: 2;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
21:24:21.9 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-90-4; Account Name: DWM-4; Account Domain: Window Manager; Logon ID: 0x9A156D;;Logon Type: 2;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |
21:24:21.9 |
103 |
Information |
The disconnect reason is 12 |
21:24:21.9 |
102 |
Information |
The server has terminated main RDP connection with the client. |
21:24:21.9 |
24 |
Information |
Remote Desktop Services: Session has been disconnected:;;User: RDS-MS\up11;Session ID: 4;Source Network Address: 10.0.0.13 |
21:24:21.9 |
4634 |
Information |
An account was logged off.;;Subject:; Security ID: S-1-5-21-2150981566-2551867588-3855624014-5104; Account Name: up11; Account Domain: RDS-MS; Logon ID: 0x99FA8F;;Logon Type: 3;;This event is generated when a logon session is destroyed. It may be positively correlated with a logon event using the Logon ID value. Logon IDs are only unique between reboots on the same computer. |