What Is It?
This event is created when a local session is disconnected from either a local or remote interactive session.
- Event Log: Terminal Services – Local Session Manager
- Event ID: 24
- Event Description: “Session has been disconnected”
The Local Session Manager is responsible for creating or finding existing local sessions to support interactive logins. Note that local sessions are different from logon sessions. Local sessions represent the logon sessions, desktop layout, processes, etc. associated with an interactive logon. Learn more about sessions here.
This event is in the Inbound Logon artifact family. It is related to both incoming Windows RDP connections and local interactive logins.
When Does It Get Created?
Event 24 is created when a local session disconnects. That happens after a user successfully logs off or disconnects a local or remote interactive logon session.
- After a user logs out (not just a disconnect).
- After a user disconnects their session.
- In our testing, this event follows an Event 23 immediately. Event 23 indicates the local session logged off.
What Data Is Stored?
This event has three fields of interest:
- Timestamp of when the successful login occurred
- User and domain name for account being logged into
- Remote IP address if it is a remote interactive session or “LOCAL” if it’s a local interactive session
Note that this is the same data that you’ll get from Event 22 and Event 25.
Relevance to DFIR?
This entry will show you when a user disconnected from the system. It has the same information as other events, such as:
- Local Session Manager – Event 23
- Security Log – Event 4634
But, these events are all in different event log files and could cycle at different rates. So, you may find this event even if the others have been overwritten or deleted.
Usage in Cyber Triage
Cyber Triage collects and parses the Local Session Manager event log. It uses this event to determine when a logon session was disconnected.