Sign in Subscribe

Windows RDP-Related Event Logs: The Client Side of the Story

Mike

23 min read
Windows RDP-Related Event Logs: The Client Side of the Story

This article is going to cover the other side of Windows RDP-Related Event Logs: Identification, Tracking, and Investigation and RDP Event Log Forensics. Both of these document the events that occur when viewing logs from the server side. This documents the events that occur on the client end of the connection. I've followed the same actions as followed in the material above (logon, logoff, etc.), though my layout will be a bit different.

I've chosen to include all related events, even those that may not have the most useful information in their description. I did this to allow people to look for the full chain of events as an IOC. You may notice that some events will repeat a number of times. The event chains in here should be in chronological order with newest at the bottom (top down)

The lab contained two Windows 10 VMs with default logging (fresh, nearly unaltered images). I would highly suggest testing and verifying the results in your own environment, as logging may be different, various versions of Windows may present different logs, domain joined machines may show additional information, or I may have just screwed something up.

You can read about my methodology here: GHOST_URL/finding-event-logs-caused-by-an-action/

If you don't like my formatting, just want to verify anything, or want some extra data, you can download the original data here: https://drive.google.com/open?id=1UV0HBw76zfwGoqW8YlqUSEWsf4dafPq_. I've included in this data the output of sysmon events as well, which isn't covered here.

Lastly, I appologize, but I don't go into nearly as much detail as the Ponder The Bit's article above in explaining what these events mean (e.g. his notes on Event ID: 1149). For my use case, I care more about finding the pattern of events that give me an overall picture of what the user did, rather than exactly what each event log means. I think the differences in my layout reflect this, and I hope people still find this useful.

Edit: For more on the hash in Event ID 1029 hashes, go here: GHOST_URL/windows-event-id-1029-hashes/

Glossary:

  • Desktop: DESKTOP-35JV6J4 (where I'm connecting from)
  • Desktop IP: 192.168.59.129
  • Desktop User: User
  • Server: Server-01 (where I'm connecting to)
  • Server IP: 192.168.1.179
  • Server User: ServerUser01

Table Of Contents:

Repeated for Terse and Verbose, ctrl+f to get to your favorite section

  1. RDP Successful Logon [Logon]
  2. RDP Unsuccessful Logon (bad password) [FailLogon]
  3. RDP Session Disconnect (close window) [Close]
  4. RDP Session Disconnect (start -> disconnect) [Disconnect]
  5. RDP Session Reconnect [Reconnect]
  6. RDP Session Logoff [Logoff]

Terse/Summary

1) RDP Successful Logon [Logon]

  • 1024
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX is trying to connect to the server (192.168.1.179)
  • 1028
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Server supports SSL = supported
  • 1029
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-
  • 4648
    • Security
    • A logon was attempted using explicit credentials.
  • 226
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).
  • 1105
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The multi-transport connection has been disconnected.
  • 1026
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX has been disconnected (Reason= 263)
  • 1028
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Server supports SSL = supported
  • 1029
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-
  • 4648
    • Security
    • A logon was attempted using explicit credentials.
  • 1102
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The client has initiated a multi-transport connection to the server 192.168.1.179.
  • 1103
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The client has established a multi-transport connection to the server.
  • 1025
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX has connected to the server
  • 1403
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The client is using software memory for the frame buffer.
  • 1401
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The server is using version 0xA0502 of the RDP graphics protocol (client mode: 0, AVC available: 1).
  • 1027
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Connected to domain (SERVER-01) with session 12.

2) RDP Unsuccessful Logon (bad password) [FailLogon]

  • 1024
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX is trying to connect to the server (192.168.1.179)
  • 1028
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Server supports SSL = supported
  • 1029
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-
  • 4648
    • Security
    • A logon was attempted using explicit credentials.
  • 226
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).
  • 1105
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The multi-transport connection has been disconnected.

3) RDP Session Disconnect (close window) [Close]

  • 1105
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The multi-transport connection has been disconnected.
  • 1026
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX has been disconnected (Reason= 1)

4) RDP Session Disconnect (start -> disconnect) [Disconnect]

  • 226
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).
  • 1105
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The multi-transport connection has been disconnected.
  • 1026
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX has been disconnected (Reason= 2)

5) RDP Session Reconnect [Reconnect]

  • 1024
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX is trying to connect to the server (192.168.1.179)
  • 1028
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Server supports SSL = supported
  • 1029
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-
  • 226
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).
  • 1105
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The multi-transport connection has been disconnected.
  • 1026
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX has been disconnected (Reason= 263)
  • 1028
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Server supports SSL = supported
  • 1029
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-
  • 1102
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The client has initiated a multi-transport connection to the server 192.168.1.179.
  • 1103
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The client has established a multi-transport connection to the server.
  • 1025
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX has connected to the server
  • 1403
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The client is using software memory for the frame buffer.
  • 1401
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The server is using version 0xA0502 of the RDP graphics protocol (client mode: 0, AVC available: 1).
  • 1027
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • Connected to domain (SERVER-01) with session 16.
  • 5058
    • Security
    • Key file opertion.
  • 5061
    • Security
    • Cryptographic Opertion.
  • 5059
    • Security
    • Key migration operation.
  • 5058
    • Security
    • Key file opertion.
  • 5061
    • Security
    • Cryptographic Opertion.
  • 5059
    • Security
    • Key migration operation.
  • 5058
    • Security
    • Key file opertion.
  • 5061
    • Security
    • Cryptographic Opertion.
  • 5059
    • Security
    • Key migration operation.
  • 4648
    • Security
    • A logon was attempted using explicit credentials.
  • 4648
    • Security
    • A logon was attempted using explicit credentials.

6) RDP Session Logoff [Logoff]

  • 226
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).
  • 1105
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • The multi-transport connection has been disconnected.
  • 1026
    • Microsoft-Windows-TerminalServices-RDPClient/Operational
    • RDP ClientActiveX has been disconnected (Reason= 2)

Verbose

1) RDP Successful Logon [Logon]

Event[0]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:40.011
  Event ID: 1024
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX is trying to connect to the server (192.168.1.179)

Event[1]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:40.055
  Event ID: 1028
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Server supports SSL = supported

Event[2]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:44.339
  Event ID: 1029
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[1]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-19T18:00:44.388
  Event ID: 4648
  Task: Logon
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
A logon was attempted using explicit credentials.

Subject:
  Security ID:    S-1-5-21-2773257397-1885399017-559746253-1001
  Account Name:   User
  Account Domain:   DESKTOP-35JV6J4
  Logon ID:   0x21BCB
  Logon GUID:   {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
  Account Name:   ServerUser01
  Account Domain:   Server-01
  Logon GUID:   {00000000-0000-0000-0000-000000000000}

Target Server:
  Target Server Name: Server-01
  Additional Information: Server-01

Process Information:
  Process ID:   0x280
  Process Name:   C:\Windows\System32\lsass.exe

Network Information:
  Network Address:  -
  Port:     -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Event[3]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:44.390
  Event ID: 226
  Task: RDP State Transition
  Level: Warning
  Opcode: This event is raised during a state transition.
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).

Event[4]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:44.390
  Event ID: 1105
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The multi-transport connection has been disconnected.

Event[5]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:46.757
  Event ID: 1026
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the disconnection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX has been disconnected (Reason= 263)

Event[6]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:46.780
  Event ID: 1028
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Server supports SSL = supported

Event[7]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:46.781
  Event ID: 1029
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[2]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-19T18:00:46.789
  Event ID: 4648
  Task: Logon
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
A logon was attempted using explicit credentials.

Subject:
  Security ID:    S-1-5-21-2773257397-1885399017-559746253-1001
  Account Name:   User
  Account Domain:   DESKTOP-35JV6J4
  Logon ID:   0x21BCB
  Logon GUID:   {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
  Account Name:   ServerUser01
  Account Domain:   Server-01
  Logon GUID:   {00000000-0000-0000-0000-000000000000}

Target Server:
  Target Server Name: Server-01
  Additional Information: Server-01

Process Information:
  Process ID:   0x280
  Process Name:   C:\Windows\System32\lsass.exe

Network Information:
  Network Address:  -
  Port:     -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Event[8]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:46.908
  Event ID: 1102
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The client has initiated a multi-transport connection to the server 192.168.1.179.

Event[9]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:46.928
  Event ID: 1103
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The client has established a multi-transport connection to the server.

Event[10]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:47.023
  Event ID: 1025
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX has connected to the server

Event[11]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:47.259
  Event ID: 1403
  Task: RdClient Pipeline workspace
  Level: Information
  Opcode: This event is raised when protocol caps are received from the server. We log that hardware resources are not being used.
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The client is using software memory for the frame buffer.

Event[12]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:47.267
  Event ID: 1401
  Task: RdClient Pipeline workspace
  Level: Information
  Opcode: This event is raised when protocol caps are received from the server. We log the version selected, and the client mode and AVC capability.
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The server is using version 0xA0502 of the RDP graphics protocol (client mode: 0, AVC available: 1).

Event[13]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:00:48.938
  Event ID: 1027
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Connected to domain (SERVER-01) with session 12.

2) RDP Unsuccessful Logon (bad password) [FailLogon]

Event[0]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:32:53.297
  Event ID: 1024
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX is trying to connect to the server (192.168.1.179)

Event[1]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:32:53.341
  Event ID: 1028
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Server supports SSL = supported

Event[2]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:32:54.703
  Event ID: 1029
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[1]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-19T18:32:54.751
  Event ID: 4648
  Task: Logon
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
A logon was attempted using explicit credentials.

Subject:
  Security ID:    S-1-5-21-2773257397-1885399017-559746253-1001
  Account Name:   User
  Account Domain:   DESKTOP-35JV6J4
  Logon ID:   0x21BCB
  Logon GUID:   {00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
  Account Name:   ServerUser01
  Account Domain:   Server-01
  Logon GUID:   {00000000-0000-0000-0000-000000000000}

Target Server:
  Target Server Name: Server-01
  Additional Information: Server-01

Process Information:
  Process ID:   0x280
  Process Name:   C:\Windows\System32\lsass.exe

Network Information:
  Network Address:  -
  Port:     -

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Event[3]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:32:54.755
  Event ID: 226
  Task: RDP State Transition
  Level: Warning
  Opcode: This event is raised during a state transition.
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).

Event[4]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:32:54.755
  Event ID: 1105
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The multi-transport connection has been disconnected.

3) RDP Session Disconnect (close window) [Close]

Event[0]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:51:12.411
  Event ID: 1105
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The multi-transport connection has been disconnected.

Event[1]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-19T18:51:12.411
  Event ID: 1026
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the disconnection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX has been disconnected (Reason= 1)

4) RDP Session Disconnect (start -> disconnect) [Disconnect]

Event[0]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:23:47.607
  Event ID: 226
  Task: RDP State Transition
  Level: Warning
  Opcode: This event is raised during a state transition.
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).

Event[1]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:23:47.607
  Event ID: 1105
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The multi-transport connection has been disconnected.

Event[2]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:23:47.608
  Event ID: 1026
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the disconnection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX has been disconnected (Reason= 2)

5) RDP Session Reconnect [Reconnect]

Event[0]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:21.846
  Event ID: 1024
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX is trying to connect to the server (192.168.1.179)

Event[1]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:21.886
  Event ID: 1028
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Server supports SSL = supported

Event[2]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:25.590
  Event ID: 1029
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[3]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:25.646
  Event ID: 226
  Task: RDP State Transition
  Level: Warning
  Opcode: This event is raised during a state transition.
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDPClient_SSL: An error was encountered when transitioning from TsSslStateHandshakeInProgress to TsSslStateDisconnecting in response to TsSslEventHandshakeContinueFailed (error code 0x80004005).

Event[4]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:25.647
  Event ID: 1105
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The multi-transport connection has been disconnected.

Event[5]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:27.619
  Event ID: 1026
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the disconnection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX has been disconnected (Reason= 263)

Event[6]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:27.647
  Event ID: 1028
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Server supports SSL = supported

Event[7]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:27.647
  Event ID: 1029
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Base64(SHA256(UserName)) is = s8v7wS1UMkc0myytGIXeX2MWh9ojpi4aKwRwbOwFS5U=-

Event[8]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:27.776
  Event ID: 1102
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The client has initiated a multi-transport connection to the server 192.168.1.179.

Event[9]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:27.798
  Event ID: 1103
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The client has established a multi-transport connection to the server.

Event[10]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:28.036
  Event ID: 1025
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX has connected to the server

Event[11]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:28.294
  Event ID: 1403
  Task: RdClient Pipeline workspace
  Level: Information
  Opcode: This event is raised when protocol caps are received from the server. We log that hardware resources are not being used.
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The client is using software memory for the frame buffer.

Event[12]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:28.297
  Event ID: 1401
  Task: RdClient Pipeline workspace
  Level: Information
  Opcode: This event is raised when protocol caps are received from the server. We log the version selected, and the client mode and AVC capability.
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The server is using version 0xA0502 of the RDP graphics protocol (client mode: 0, AVC available: 1).

Event[13]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-06-23T05:45:28.831
  Event ID: 1027
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
Connected to domain (SERVER-01) with session 16.

Event[1]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:19.005
  Event ID: 5058
  Task: Other System Events
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Key file operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Process Information:
	Process ID:		5544
	Process Creation Time:	?2018?-?06?-?09T11:49:11.506100500Z

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	UNKNOWN
	Key Name:	TB_2_bing.com
	Key Type:	User key.

Key File Operation Information:
	File Path:	C:\Users\User\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Crypto\TokenBindingKeys\Keys\887a471fc5377c5cbe6e38ac87d5a40f_4bf62209-2175-4363-83ab-ba92665e7646_775090f05efb4712c965fe90ed1ae5ce
	Operation:	Read persisted key from file.
	Return Code:	0x0

Event[2]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:19.007
  Event ID: 5061
  Task: System Integrity
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Cryptographic operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	ECDSA_P256
	Key Name:	TB_2_bing.com
	Key Type:	User key.

Cryptographic Operation:
	Operation:	Open Key.
	Return Code:	0x0

Event[3]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:19.007
  Event ID: 5059
  Task: Other System Events
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Key migration operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Process Information:
	Process ID:		5544
	Process Creation Time:	?2018?-?06?-?09T11:49:11.506100500Z

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	ECDSA_P256
	Key Name:	TB_2_bing.com
	Key Type:	User key.

Additional Information:
	Operation:	Export of persistent cryptographic key.
	Return Code:	0x0

Event[4]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:22.035
  Event ID: 5058
  Task: Other System Events
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Key file operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Process Information:
	Process ID:		5544
	Process Creation Time:	?2018?-?06?-?09T11:49:11.506100500Z

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	UNKNOWN
	Key Name:	TB_2_msedge.net
	Key Type:	User key.

Key File Operation Information:
	File Path:	C:\Users\User\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Crypto\TokenBindingKeys\Keys\cf5cb1723dccff2c0ea8430f59e66dc5_4bf62209-2175-4363-83ab-ba92665e7646_775090f05efb4712c965fe90ed1ae5ce
	Operation:	Read persisted key from file.
	Return Code:	0x0

Event[5]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:22.036
  Event ID: 5061
  Task: System Integrity
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Cryptographic operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	ECDSA_P256
	Key Name:	TB_2_msedge.net
	Key Type:	User key.

Cryptographic Operation:
	Operation:	Open Key.
	Return Code:	0x0

Event[6]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:22.036
  Event ID: 5059
  Task: Other System Events
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Key migration operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Process Information:
	Process ID:		5544
	Process Creation Time:	?2018?-?06?-?09T11:49:11.506100500Z

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	ECDSA_P256
	Key Name:	TB_2_msedge.net
	Key Type:	User key.

Additional Information:
	Operation:	Export of persistent cryptographic key.
	Return Code:	0x0

Event[7]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:22.452
  Event ID: 5058
  Task: Other System Events
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Key file operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Process Information:
	Process ID:		5544
	Process Creation Time:	?2018?-?06?-?09T11:49:11.506100500Z

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	UNKNOWN
	Key Name:	TB_2_footprintdns.com
	Key Type:	User key.

Key File Operation Information:
	File Path:	C:\Users\User\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Crypto\TokenBindingKeys\Keys\0864bb47f2eb5792242e292f093bd059_4bf62209-2175-4363-83ab-ba92665e7646_775090f05efb4712c965fe90ed1ae5ce
	Operation:	Read persisted key from file.
	Return Code:	0x0

Event[8]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:22.453
  Event ID: 5061
  Task: System Integrity
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Cryptographic operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	ECDSA_P256
	Key Name:	TB_2_footprintdns.com
	Key Type:	User key.

Cryptographic Operation:
	Operation:	Open Key.
	Return Code:	0x0

Event[9]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:22.453
  Event ID: 5059
  Task: Other System Events
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Key migration operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Process Information:
	Process ID:		5544
	Process Creation Time:	?2018?-?06?-?09T11:49:11.506100500Z

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	ECDSA_P256
	Key Name:	TB_2_footprintdns.com
	Key Type:	User key.

Additional Information:
	Operation:	Export of persistent cryptographic key.
	Return Code:	0x0

Event[10]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:22.610
  Event ID: 5058
  Task: Other System Events
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Key file operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Process Information:
	Process ID:		5544
	Process Creation Time:	?2018?-?06?-?09T11:49:11.506100500Z

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	UNKNOWN
	Key Name:	TB_2_msedge.net
	Key Type:	User key.

Key File Operation Information:
	File Path:	C:\Users\User\AppData\Local\Packages\microsoft.windows.cortana_cw5n1h2txyewy\AC\Microsoft\Crypto\TokenBindingKeys\Keys\cf5cb1723dccff2c0ea8430f59e66dc5_4bf62209-2175-4363-83ab-ba92665e7646_775090f05efb4712c965fe90ed1ae5ce
	Operation:	Read persisted key from file.
	Return Code:	0x0

Event[11]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:22.611
  Event ID: 5061
  Task: System Integrity
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Cryptographic operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	ECDSA_P256
	Key Name:	TB_2_msedge.net
	Key Type:	User key.

Cryptographic Operation:
	Operation:	Open Key.
	Return Code:	0x0

Event[12]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:22.611
  Event ID: 5059
  Task: Other System Events
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
Key migration operation.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB

Process Information:
	Process ID:		5544
	Process Creation Time:	?2018?-?06?-?09T11:49:11.506100500Z

Cryptographic Parameters:
	Provider Name:	Microsoft Software Key Storage Provider
	Algorithm Name:	ECDSA_P256
	Key Name:	TB_2_msedge.net
	Key Type:	User key.

Additional Information:
	Operation:	Export of persistent cryptographic key.
	Return Code:	0x0

Event[13]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:25.643
  Event ID: 4648
  Task: Logon
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
A logon was attempted using explicit credentials.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
	Account Name:		ServerUser01
	Account Domain:		Server-01
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Target Server:
	Target Server Name:	Server-01
	Additional Information:	Server-01

Process Information:
	Process ID:		0x280
	Process Name:		C:\Windows\System32\lsass.exe

Network Information:
	Network Address:	-
	Port:			-

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

Event[14]:
  Log Name: Security
  Source: Microsoft-Windows-Security-Auditing
  Date: 2018-06-23T05:45:27.657
  Event ID: 4648
  Task: Logon
  Level: Information
  Opcode: Info
  Keyword: Audit Success
  User: N/A
  User Name: N/A
  Computer: DESKTOP-35JV6J4
  Description: 
A logon was attempted using explicit credentials.

Subject:
	Security ID:		S-1-5-21-2773257397-1885399017-559746253-1001
	Account Name:		User
	Account Domain:		DESKTOP-35JV6J4
	Logon ID:		0x21BCB
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Account Whose Credentials Were Used:
	Account Name:		ServerUser01
	Account Domain:		Server-01
	Logon GUID:		{00000000-0000-0000-0000-000000000000}

Target Server:
	Target Server Name:	Server-01
	Additional Information:	Server-01

Process Information:
	Process ID:		0x280
	Process Name:		C:\Windows\System32\lsass.exe

Network Information:
	Network Address:	-
	Port:			-

This event is generated when a process attempts to log on an account by explicitly specifying that account’s credentials.  This most commonly occurs in batch-type configurations such as scheduled tasks, or when using the RUNAS command.

6) RDP Session Logoff [Logoff]

Event[0]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-08-01T16:18:08.853
  Event ID: 226
  Task: RDP State Transition
  Level: Warning
  Opcode: This event is raised during a state transition.
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDPClient_SSL: An error was encountered when transitioning from TsSslStateDisconnected to TsSslStateDisconnected in response to TsSslEventInvalidState (error code 0x8000FFFF).

Event[1]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-08-01T16:18:08.853
  Event ID: 1105
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the connection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
The multi-transport connection has been disconnected.

Event[2]:
  Log Name: Microsoft-Windows-TerminalServices-RDPClient/Operational
  Source: Microsoft-Windows-TerminalServices-ClientActiveXCore
  Date: 2018-08-01T16:18:08.853
  Event ID: 1026
  Task: Connection Sequence
  Level: Information
  Opcode: This event is raised during the disconnection process
  Keyword: N/A
  User: S-1-5-21-2773257397-1885399017-559746253-1001
  User Name: DESKTOP-35JV6J4\User
  Computer: DESKTOP-35JV6J4
  Description: 
RDP ClientActiveX has been disconnected (Reason= 2)

Sign up for more like this.

Enter your email
Subscribe