Free Workshop: Investigating Insider Threats — February 20-27

Windows Terminal Services – Local Session Manager Log

Published on July 10, 2023
Last updated on July 12, 2023

What Is It?

The TerminalServices-LocalSessionManager log contains entries about the allocation of local sessions, which are used for both local and remote interactive logins. It is updated by the Local Session Manager part of Remote Desktop Services (previously called Terminal Services).

What Does It Contain?

This log contains audit information associated with the Local Session Manager (LSM). Though similarly named, local sessions are different from logon sessions.

  • A local session stores the logon sessions, desktop layout, etc. for a user’s interactive login (remote or local).
  • A logon session is a security concept that defines the access that processes have based on the account that was authenticated.

The Local Session Manager is responsible for creating, destroying, and reconnecting local sessions.

  • Local sessions are created when a user logs in for the first time after a logoff or a system reboot.
  • Local sessions are closed when a user logs out.
  • Local sessions are reconnected when a user switches between local and remote logins or when the remote login disconnects.
  • Microsoft calls this Fast User Switching. Learn more about sessions here.

The log contains many types of events, such as when local sessions:

  • Are created
  • Are closed
  • Are reconnected
  • Are disconnected

A list of events is given below.

Relevance to DFIR?

This event log is useful when investigating inbound Windows RDP remote logins and local interactive logins. RDP can be used by attackers to remotely control a system once they have account credentials.

Note that if the attackers used remote access software other than Windows RDP, then this log will not have entries for those logins.

Storage Details

The event log file can be found at:

SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

It can be disabled by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/Enabled registry key to “0”.

Inbound Logon Events

The notable event types in there include:

Cyber Triage Status

Cyber Triage collects this log file and parses it to make Inbound Logon sessions.

Sources