Free Workshop: Investigating Insider Threats — February 20-27

Windows Terminal Server – Remote Connection Manager Log

Published on May 19, 2023
Last updated on June 6, 2023

What Is It?

The “Windows Terminal Server – Remote Connection Manager Log” records events associated with the Remote Connection Manager, which is part of the “Remote Desktop Services” (RDS) service. RDS was previously called “Terminal Services”.

The log contains information about Windows Remote Desktop connections, which are Inbound Logon Artifacts. Note that there are several other logs that contain information about RDS activity and remote logons.

What Does It Contain?

This log contains audit and debug information associated with the “Remote Connection Manager”. The Remote Connection Manager is responsible for managing the listening RDP network port (TCP port 3389) and interacting with other parts of Windows, such as “winlogon” for authentication.

The log contains several types of events, such as:

  • When the service starts up
  • When connections are made to it

A list of events is given below.

Relevance to DFIR?

This event log is useful when investigating inbound Windows RDP remote logins. RDP can be used by attackers to remotely control a system once they have account credentials.

Note that if the attackers used remote access software other than WIndows RDP, then this log will not have entries for those logins.

Storage Details

The event log file can be found at:

%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx

It can be disabled by setting the “Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational/Enabled” key to “0”.

Specific Events

The notable event types in there include:

  • Event ID 261 – Connection
  • Event ID 1149 – “User Authentication Succeeded”

Note that nothing in this log will indicate a failed logon.

Cyber Triage Status

Cyber Triage collects this log file and parses it to make Inbound Logon sessions.

Sources