Local Session Manager – Event 21 (Logon)

Published on July 11, 2023
Last updated on July 20, 2023

What Is It?

This event is created when a new local session is created for either a local or remote interactive login.

  • Event Log: Terminal Services – Local Session Manager
  • Event ID: 21
  • Event Description: “Session logon succeeded”

The Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins. Note that local sessions are different from logon sessions. Local sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. Learn more about sessions here.

Artifact Family

This event is in the Inbound Logon artifact family. It is related to both incoming Windows RDP connections and local interactive logins.

When Does It Get Created?

This event is created when a new local session needs to be created. That happens after a user successfully authenticates for a local or remote interactive logon session and the user does not already have an existing local session.

For example:

  • After a user logs out (not just a disconnect), then the next login for each user will create this event.
  • After a system restart, then the first login for each user will create this event.

If the user already had a local session, then it would be a reconnect and there would be an Event 25 instead. In our testing, an Event 22 is always created seconds after an Event 21.

What Data Is Stored?

This event has three fields of interest:

  • Timestamp of when the successful login occurred
  • User and domain name for the account being logged into
  • Remote IP address if it is a remote interactive session or “LOCAL” if it’s a local interactive session

Relevance to DFIR?

This entry will show you when a user logged into the system. It has the same information as other events, such as:

But, these events are all in different event log files and could cycle at different rates. So, you may find this event even if the others have been overwritten or deleted.

Usage in Cyber Triage

Cyber Triage collects and parses the Local Session Manager event log. It uses this event to determine when a logon session started. You can see that in the Sources tab of a Cyber Triage Logon Session.