Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
89 events across 3 channels
Event ID 1: The RDP Graphics module failed to initialize.
#Event ID 2: Remote Desktop Protocol will use the RDP Graphics module to connect to the client computer.
#Description
Remote Desktop Protocol will use the RDP Graphics module to connect to the client computer. The RDP Graphics module is being used based on the server configuration, client configuration, and network connection.
Message #
Event ID 3: The RemoteFX module failed to initialize.
#Event ID 4: The RemoteFX module failed to initialize.
#Event ID 5: The client computer does not support RemoteFX.
#Description
The client computer does not support RemoteFX. The connection will be made with the RDP Graphics. The relevant status code was StatusCode.
Message #
Fields #
| Name | Description |
|---|---|
StatusCode HexInt32 | NTSTATUS reference |
Event ID 6: The resolution requested by the remote client is not supported by RemoteFX.
#Description
The resolution requested by the remote client is not supported by RemoteFX. The connection will be made with RemoteFX using a supported resolution. Resolution requested by the client: Monitors NumMonitors: RequestedMode. Resolution applied: AppliedMode.
Message #
Fields #
| Name | Description |
|---|---|
NumMonitors UInt32 | |
RequestedMode UnicodeString | |
AppliedMode UnicodeString |
Event ID 7: The resolution requested by the remote client could not be set.
#Description
The resolution requested by the remote client could not be set. The default resolution will be set for the RemoteFX session. The server may be experiencing high load or require a restart.
Message #
Event ID 33: Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer.
#Description
Remote Desktop Protocol will use the RemoteFX guest mode module to connect to the client computer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 33,
"version": 0,
"level": 4,
"task": 4,
"opcode": 11,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:46.553439Z",
"event_record_id": 898,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 6776
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 34: Remote Desktop Protocol will use the RemoteFX host mode module to connect to the client computer.
#Description
Remote Desktop Protocol will use the RemoteFX host mode module to connect to the client computer.
Message #
Event ID 35: Unable to initialize the RemoteFX host mode module.
#Event ID 36: Unable to initialize the RemoteFX host mode module.
#Event ID 37: The display resolution requested by the remote client is not supported by RemoteFX host mode module.
#Description
The display resolution requested by the remote client is not supported by RemoteFX host mode module. The resolution requested by the client: Monitors NumMonitors: RequestedMode. Resolution applied: AppliedMode.
Message #
Fields #
| Name | Description |
|---|---|
NumMonitors UInt32 | |
RequestedMode UnicodeString | |
AppliedMode UnicodeString |
Event ID 38: The display resolution requested by the remote client could not be enabled.
#Description
The display resolution requested by the remote client could not be enabled. The default resolution will be enabled for the RemoteFX session. The server may be experiencing high load.
Message #
Event ID 65: Connection ConnectionName created.
#Description
Connection ConnectionName created.
Message #
Fields #
| Name | Description |
|---|---|
ConnectionName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 65,
"version": 0,
"level": 4,
"task": 4,
"opcode": 13,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:28.546169Z",
"event_record_id": 846,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 1660
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ConnectionName": "RDP-Tcp#5"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 66: The connection ConnectionName was assigned to session SessionID.
#Description
The connection ConnectionName was assigned to session SessionID.
Message #
Fields #
| Name | Description |
|---|---|
ConnectionName UnicodeString | |
SessionID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 66,
"version": 0,
"level": 4,
"task": 4,
"opcode": 13,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:46.547380Z",
"event_record_id": 897,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 6776
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ConnectionName": "RDP-Tcp#7",
"SessionID": 1
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 67: The RemoteFX protocol connection ConnectionName encountered an error (ErrorCode).
#Event ID 68: TMT: ConnectionName=ConnectionName, PromptForCredentials=PromptForCredentials, PromptForCredentialsDone=PromptForCredentialsDone, GfxChannelOpened=GfxChannelOpened, FirstGraphicsReceived=FirstGraph...
#Description
TMT: ConnectionName=ConnectionName, PromptForCredentials=PromptForCredentials, PromptForCredentialsDone=PromptForCredentialsDone, GfxChannelOpened=GfxChannelOpened, FirstGraphicsReceived=FirstGraphicsReceived [ms].
Message #
Fields #
| Name | Description |
|---|---|
ConnectionName UnicodeString | |
PromptForCredentials UInt32 | |
PromptForCredentialsDone UInt32 | |
GfxChannelOpened UInt32 | |
FirstGraphicsReceived UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 68,
"version": 0,
"level": 4,
"task": 4,
"opcode": 13,
"keywords": 4611686018427387904,
"time_created": "2020-11-13T11:09:15.885301Z",
"event_record_id": 12592,
"correlation": {
"#attributes": {
"ActivityID": "AF159B2D-D587-4709-AB35-F167130B0000"
}
},
"execution": {
"process_id": 388,
"thread_id": 8512
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ConnectionName": "RDP-Tcp#0",
"PromptForCredentials": 0,
"PromptForCredentialsDone": 0,
"GfxChannelOpened": 8266,
"FirstGraphicsReceived": 10672
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 69: Listener ModuleName is loaded.
#Event ID 70: The listener listens with display driver DisplayDriverName available.
#Description
The listener listens with display driver DisplayDriverName available.
Message #
Fields #
| Name | Description |
|---|---|
DisplayDriverName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "{1139C61B-B549-4251-8ED3-27250A1EDEC8}",
"event_source_name": "",
"event_id": 70,
"version": 0,
"level": 4,
"task": 4,
"opcode": 13,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T16:32:54.1010884+00:00",
"event_record_id": 104,
"correlation": {
"ActivityID": "{F462A52A-5DAA-46E2-960E-FB3B92800000}"
},
"execution": {
"process_id": 1300,
"thread_id": 1600
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"DisplayDriverName": "rdpudd.dll"
},
"message": "The listener listens with display driver rdpudd.dll available."
}
Event ID 71: The connection ConnectionName uses display driver DisplayDriverName.
#Description
The connection ConnectionName uses display driver DisplayDriverName.
Message #
Fields #
| Name | Description |
|---|---|
ConnectionName UnicodeString | |
DisplayDriverName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 71,
"version": 0,
"level": 4,
"task": 4,
"opcode": 13,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:45.622046Z",
"event_record_id": 886,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 7136
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ConnectionName": "RDP-Tcp#7",
"DisplayDriverName": "RDPUDD"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 72: Interface method called: Interface_method_called.
#Description
Interface method called: Interface_method_called.
Message #
Fields #
| Name | Description |
|---|---|
MethodName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 72,
"version": 0,
"level": 4,
"task": 4,
"opcode": 13,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:28.548440Z",
"event_record_id": 847,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 6492
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"MethodName": "PrepareForAccept"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 73: Inner encryption disabled?
#Event ID 97: The RDP protocol component ComponentName detected an error (ErrorCode) in the protocol stream and the client was disconnected.
#Event ID 98: A TCP connection has been successfully established.
#Description
A TCP connection has been successfully established.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 98,
"version": 0,
"level": 4,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:45.624254Z",
"event_record_id": 891,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 1692
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 99: The TCP connection has failed with the error code ResultCode.
#Event ID 100: The server has confirmed that the client's multi-transport capability.
#Description
The server has confirmed that the client's multi-transport capability.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 100,
"version": 0,
"level": 4,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:45.624261Z",
"event_record_id": 892,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 1692
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 101: The network characteristics detection function has been disabled because of ReasonString.
#Description
The network characteristics detection function has been disabled because of ReasonString.
Message #
Fields #
| Name | Description |
|---|---|
ReasonString UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 101,
"version": 0,
"level": 3,
"task": 4,
"opcode": 16,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:45.621408Z",
"event_record_id": 880,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 7312
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ReasonString": "Reason Code: 2(Server Configuration)."
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 102: The server has terminated main RDP connection with the client.
#Description
The server has terminated main RDP connection with the client.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 102,
"version": 0,
"level": 4,
"task": 4,
"opcode": 17,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:34.852452Z",
"event_record_id": 854,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 1644
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 103: The disconnect reason is ReasonCode.
#Description
The disconnect reason is ReasonCode.
Message #
Fields #
| Name | Description |
|---|---|
ReasonCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 103,
"version": 0,
"level": 4,
"task": 4,
"opcode": 17,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:34.852505Z",
"event_record_id": 857,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 6492
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ReasonCode": 14
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 104: Client timezone is TimezoneBiasHour hour from UTC.
#Description
Client timezone is TimezoneBiasHour hour from UTC.
Message #
Fields #
| Name | Description |
|---|---|
TimezoneBiasHour UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 104,
"version": 0,
"level": 4,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2020-07-09T19:47:00.719124Z",
"event_record_id": 1129,
"correlation": {
"#attributes": {
"ActivityID": "F420CA7A-0E56-4135-8A7C-CE2182D30000"
}
},
"execution": {
"process_id": 476,
"thread_id": 4152
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"TimezoneBiasHour": "[1]"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 105: The server's security layer setting allows it to use native RDP encryption, which is no longer recommended.
#Description
The server's security layer setting allows it to use native RDP encryption, which is no longer recommended. Consider changing the server security layer to require SSL. You can change this setting in Group Policy.
Message #
Event ID 106: Disconnect initiated by server; forcing an AutoReconnect since listener is disabled.
#Description
Disconnect initiated by server; forcing an AutoReconnect since listener is disabled.
Message #
Event ID 107: Received Disconnect Provider Indication from the client.
#Description
Received Disconnect Provider Indication from the client.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 107,
"version": 0,
"level": 4,
"task": 4,
"opcode": 17,
"keywords": 4611686018427387904,
"time_created": "2019-08-28T10:07:43.924049Z",
"event_record_id": 1066,
"correlation": {
"#attributes": {
"ActivityID": "F4202795-713F-468C-BA0B-6C1C2F0C0000"
}
},
"execution": {
"process_id": 396,
"thread_id": 1064
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 129: The server is using TransportProtocolName to bind to port Port.
#Description
The server is using TransportProtocolName to bind to port Port.
Message #
Fields #
| Name | Description |
|---|---|
TransportProtocolName UnicodeString | |
Port UInt16 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "{1139C61B-B549-4251-8ED3-27250A1EDEC8}",
"event_source_name": "",
"event_id": 129,
"version": 0,
"level": 4,
"task": 4,
"opcode": 18,
"keywords": 4611686018427387904,
"time_created": "2026-05-29T16:32:54.0988665+00:00",
"event_record_id": 103,
"correlation": {
"ActivityID": "{F462A52A-5DAA-46E2-960E-FB3B92800000}"
},
"execution": {
"process_id": 1300,
"thread_id": 1600
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"TransportProtocolName": "UDP",
"Port": "3389"
},
"message": "The server is using UDP to bind to port 15629."
}
Event ID 130: The server has initiated a multi-transport request to the client, for tunnel: The_server_has_initiated_a_multitransport_request_to_the_client_for_tunnel.
#Description
The server has initiated a multi-transport request to the client, for tunnel: The_server_has_initiated_a_multitransport_request_to_the_client_for_tunnel.
Message #
Fields #
| Name | Description |
|---|---|
TunnelID | The server has initiated a multi-transport request to the client, for tunnel. |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 130,
"version": 0,
"level": 4,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:45.625322Z",
"event_record_id": 894,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 1692
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"TunnelID": 1
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 131: The server accepted a new ConnType connection from client ClientIP.
#Description
The server accepted a new ConnType connection from client ClientIP.
Message #
Fields #
| Name | Description |
|---|---|
ConnType UnicodeString | |
ClientIP UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 131,
"version": 0,
"level": 4,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2020-11-13T11:09:07.084053Z",
"event_record_id": 12551,
"correlation": {
"#attributes": {
"ActivityID": "F4207C37-D7A8-4A5E-9A35-4E79CAA60000"
}
},
"execution": {
"process_id": 388,
"thread_id": 1292
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ConnType": "TCP",
"ClientIP": "10.0.2.16:52202"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 132: A channel ChannelName has been connected between the server and the client using transport tunnel: TunnelID.
#Description
A channel ChannelName has been connected between the server and the client using transport tunnel: TunnelID.
Message #
Fields #
| Name | Description |
|---|---|
ChannelName UnicodeString | |
TunnelID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 132,
"version": 0,
"level": 4,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:45.621433Z",
"event_record_id": 881,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 7312
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ChannelName": "rdplic",
"TunnelID": 0
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 133: The following network characteristics have been detected for tunnel TunnelID; Link latency : RTT milliseconds and Bandwidth: Bandwidth kbps.
#Event ID 134: Link latency and bandwidth could not be detected for tunnel TunnelID.
#Description
Link latency and bandwidth could not be detected for tunnel TunnelID. The error code is ResultCode. The following default network characteristics will be used; Link latency: RTT milliseconds and Bandwidth:Bandwidth kbps.
Message #
Fields #
| Name | Description |
|---|---|
ResultCode HexInt32 | |
TunnelID UInt32 | |
RTT UInt32 | |
Bandwidth UInt32 |
Event ID 135: The multi-transport connection finished for tunnel: The_multitransport_connection_finished_for_tunnel, its transport type set to TransportType.
#Description
The multi-transport connection finished for tunnel: The_multitransport_connection_finished_for_tunnel, its transport type set to TransportType.
Message #
Fields #
| Name | Description |
|---|---|
TunnelID | The multi-transport connection finished for tunnel. |
TransportType |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 135,
"version": 0,
"level": 4,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:45.624288Z",
"event_record_id": 893,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 1692
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"TunnelID": 3,
"TransportType": "TCP: Reason Code: 2 (Forced by Server Configuration)"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 136: Unable to establish a multi-transport connection; the connection will use TCP.
#Description
Unable to establish a multi-transport connection; the connection will use TCP. Consult the product documentation to enable UDP Connections.
Message #
Event ID 137: The following network characteristics have been detected for tunnel TunnelID; Link latency : RTT milliseconds and Bandwidth: Bandwidth kbps.
#Event ID 138: The DTLS initialization failed with the error code ResultCode, TLS will be used instead.
#Event ID 139: The server security layer detected an error (ResultCode) in the protocol stream and the client (Client IP:IPString) has been disconnected.
#Event ID 140: A connection from the client computer with an IP address of IPString failed because the user name or password is not correct.
#Event ID 141: PerfCounter session started with instance ID InstanceID.
#Description
PerfCounter session started with instance ID InstanceID.
Message #
Fields #
| Name | Description |
|---|---|
InstanceID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 141,
"version": 0,
"level": 4,
"task": 4,
"opcode": 11,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:28.549456Z",
"event_record_id": 849,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 6492
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"InstanceID": 5
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 142: TCP socket READ operation failed, error error.
#Description
TCP socket READ operation failed, error error.
Message #
Fields #
| Name | Description |
|---|---|
error UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 142,
"version": 0,
"level": 3,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:34.851987Z",
"event_record_id": 852,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 6776
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"error": 64
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 143: TCP socket WRITE operation failed, error error.
#Description
TCP socket WRITE operation failed, error error.
Message #
Fields #
| Name | Description |
|---|---|
error UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 143,
"version": 0,
"level": 3,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:34.851924Z",
"event_record_id": 850,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 4988
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"error": 64
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 144: TCP socket was gracefully terminated
#Description
TCP socket was gracefully terminated.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 144,
"version": 0,
"level": 3,
"task": 4,
"opcode": 15,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T10:16:51.112394+00:00",
"event_record_id": 4129,
"correlation": {
"ActivityID": "F420FF93-1637-4090-92CE-51A628CA0000"
},
"execution": {
"process_id": 1536,
"thread_id": 9036
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
Event ID 145: During this connection, server has not sent data or graphics update for Idle2 seconds (Idle1: IdleSeconds1, Idle2: IdleSeconds2).
#Description
During this connection, server has not sent data or graphics update for Idle2 seconds (Idle1: IdleSeconds1, Idle2: IdleSeconds2).
Message #
Fields #
| Name | Description |
|---|---|
IdleSeconds | |
IdleSeconds1 | |
IdleSeconds2 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 145,
"version": 0,
"level": 4,
"task": 4,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:34.852455Z",
"event_record_id": 855,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 1644
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"IdleSeconds": 0,
"IdleSeconds1": 0,
"IdleSeconds2": 0
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 146: AutoReconnect failed with error Error.
#Event ID 147: LogonUserExEx failed with error Error.
#Event ID 148: Channel ChannelName has been closed between the server and the client on transport tunnel: TunnelID.
#Description
Channel ChannelName has been closed between the server and the client on transport tunnel: TunnelID.
Message #
Fields #
| Name | Description |
|---|---|
ChannelName UnicodeString | |
TunnelID UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 148,
"version": 0,
"level": 4,
"task": 4,
"opcode": 17,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:34.852505Z",
"event_record_id": 856,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 1644
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ChannelName": "rdpinpt",
"TunnelID": 0
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 149: Logon certificate sent by client did not pass validation.
#Event ID 150: Long delay experienced while flushing data to the network.
#Event ID 151: In the past ms_all_packets_throughout_connection ms, HistoryMs heartbeats were sent to the client.
#Description
In the past HistoryMs ms, NumHeartbeats heartbeats were sent to the client. Max time without sending packets in recent history: MaxRecentTimeNoPacketMs ms (all packets); throughout connection: MaxTotalTimeNoDataMs ms (data), MaxTotalTimeNoHeartbeatMs ms (heartbeats), MaxTotalTimeNoPacketMs ms (all packets). Time between disconnect and last packet sent: TimeNoLastPacketMs ms
Message #
Fields #
| Name | Description |
|---|---|
HistoryMs UInt32 | |
NumHeartbeats UInt32 | |
MaxRecentTimeNoPacketMs UInt32 | |
MaxTotalTimeNoDataMs UInt32 | |
MaxTotalTimeNoHeartbeatMs UInt32 | |
MaxTotalTimeNoPacketMs UInt32 | |
TimeNoLastPacketMs UInt32 |
Event ID 152: Timestamp: Timestamp ms, heartbeats sent: ms_heartbeats_sent, data packet last sent: data_packet_last_sent ms, heartbeat last sent: ms_heartbeat_last_sent ms.
#Event ID 153: Session negotiated TLS version TLSVersion.
#Event ID 154: Message.
#Event ID 161: The RemoteFX encoding engine encountered an error (ErrorCode).
#Event ID 162: The client supports version AVC_available of the RDP graphics protocol, client mode: Initial_profile, AVC available: Server, Initial profile: ProfileIdNum.
#Description
The client supports version AVC_available of the RDP graphics protocol, client mode: Initial_profile, AVC available: Server, Initial profile: ProfileIdNum. Server: ServerName.
Message #
Fields #
| Name | Description |
|---|---|
Version | |
ClientMode | |
AvcEnabled | |
ProfileIdNum | |
ServerName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 162,
"version": 0,
"level": 4,
"task": 4,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:46.742779Z",
"event_record_id": 908,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 8020
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"Version": "0xa0301",
"ClientMode": 2,
"AvcEnabled": 1,
"ProfileIdNum": 2,
"ServerName": "MSEDGEWIN10"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 163: The client supports RDP 7.
#Description
The client supports RDP 7.1 or lower protocol. Server: Server.
Message #
Fields #
| Name | Description |
|---|---|
ServerName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 163,
"version": 0,
"level": 4,
"task": 4,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2019-08-28T14:22:27.573268Z",
"event_record_id": 1356,
"correlation": {
"#attributes": {
"ActivityID": "F4201740-D459-489E-A55C-BFE842340000"
}
},
"execution": {
"process_id": 396,
"thread_id": 1336
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ServerName": "MSEDGEWIN10"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 164: The client advertised protocol configurations which are not supported by the server.
#Event ID 165: RDP RemoteFX graphics encoding is enabled.
#Event ID 166: The RemoteFX Adaptive Graphics internal configuration changed to optimize for the minimum use of network bandwidth.
#Event ID 167: The RemoteFX Adaptive Graphics internal configuration changed to optimize for experience.
#Event ID 168: The resolution requested by the client: Monitor MonitorNum: (MonitorWidth, MonitorHeight), origin: (MonitorX, MonitorY).
#Description
The resolution requested by the client: Monitor MonitorNum: (MonitorWidth, MonitorHeight), origin: (MonitorX, MonitorY). Server: ServerName.
Message #
Fields #
| Name | Description |
|---|---|
MonitorNum UInt32 | |
MonitorWidth UInt32 | |
MonitorHeight UInt32 | |
MonitorX UInt32 | |
MonitorY UInt32 | |
ServerName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 168,
"version": 0,
"level": 4,
"task": 4,
"opcode": 11,
"keywords": 4611686018427387904,
"time_created": "2020-11-13T11:09:15.564770Z",
"event_record_id": 12591,
"correlation": {
"#attributes": {
"ActivityID": "F4207C37-D7A8-4A5E-9A35-4E79CAA60000"
}
},
"execution": {
"process_id": 388,
"thread_id": 7312
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"MonitorNum": 0,
"MonitorWidth": 200,
"MonitorHeight": 200,
"MonitorX": 0,
"MonitorY": 0,
"ServerName": "MSEDGEWIN10"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 169: The client operating system type is (MajorType, MinorType).
#Description
The client operating system type is (MajorType, MinorType). Server: ServerName.
Message #
Fields #
| Name | Description |
|---|---|
MajorType UInt32 | |
MinorType UInt32 | |
ServerName UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 169,
"version": 0,
"level": 4,
"task": 4,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:46.567652Z",
"event_record_id": 902,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 7312
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"MajorType": 1,
"MinorType": 3,
"ServerName": "MSEDGEWIN10"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 170: AVC hardware encoder enabled: AVC_hardware_encoder_enabled, encoder name is IsHardwareEncode.
#Event ID 171: The client is uncapable to support screen capture protection feature.
#Event ID 172: The client is uncapable to support watermarking feature.
#Event ID 193: The RemoteFX Media Remoting is not supported by the client.
#Description
The RemoteFX Media Remoting is not supported by the client.
Message #
Event ID 194: The RemoteFX Media Remoting is not supported by the current server configuration.
#Description
The RemoteFX Media Remoting is not supported by the current server configuration.
Message #
Event ID 195: The RemoteFX Media Remoting module encountered an error.
#Event ID 225: StateTransition: Transitioned successfully from PreviousStateName to NewStateName in response to EventName.
#Description
StateTransition: Transitioned successfully from PreviousStateName to NewStateName in response to EventName.
Message #
Fields #
| Name | Description |
|---|---|
StateTransition UnicodeString | |
PreviousState UInt32 | |
PreviousStateName UnicodeString | |
NewState UInt32 | |
NewStateName UnicodeString | |
Event UInt32 | |
EventName UnicodeString |
Event ID 226: StateTransition: An error was encountered when transitioning from PreviousStateName in response to EventName (error code ErrorCode).
#Description
StateTransition: An error was encountered when transitioning from PreviousStateName in response to EventName (error code ErrorCode).
Message #
Fields #
| Name | Description |
|---|---|
StateTransition UnicodeString | |
PreviousState UInt32 | |
PreviousStateName UnicodeString | |
NewState UInt32 | |
NewStateName UnicodeString | |
Event UInt32 | |
EventName UnicodeString | |
ErrorCode HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 226,
"version": 0,
"level": 3,
"task": 4,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:16:34.851971Z",
"event_record_id": 851,
"correlation": {
"#attributes": {
"ActivityID": "F420DD64-C87E-4E2D-A02E-7D0935770000"
}
},
"execution": {
"process_id": 636,
"thread_id": 4988
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"StateTransition": "RDP_TCP",
"PreviousState": 23,
"PreviousStateName": "StateUnknown",
"NewState": 21,
"NewStateName": "StateDisconnected",
"Event": 43,
"EventName": "Event_Disconnect",
"ErrorCode": "0x80070040"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 227: CustomLevel.
#Description
CustomLevel
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Value UInt32 | |
CustomLevel UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 227,
"version": 0,
"level": 2,
"task": 4,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:45.622336Z",
"event_record_id": 887,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 7136
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"Name": "CUMRDPConnection",
"Value": 2147500033,
"CustomLevel": "'Failed GetConnectionProperty' in CUMRDPConnection::QueryProperty at 2884 err=[0x80004001]"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 228: Disconnect trace:Disconnect_trace Message, Error code:ErrorCode.
#Description
Disconnect trace:Disconnect_trace Message, Error code:ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
ComponentName | |
Message | |
ErrorCode |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 228,
"version": 0,
"level": 3,
"task": 4,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:26:41.767599Z",
"event_record_id": 938,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 7572
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"ComponentName": "CUMRDPConnection",
"Message": "Disconnect trace:'calling spGfxPlugin->PreDisconnect()' in CUMRDPConnection::PreDisconnect at 4595 err=[0x5]",
"ErrorCode": 5
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 229: CustomLevel.
#Description
CustomLevel
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
CustomLevel UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 229,
"version": 0,
"level": 4,
"task": 4,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2019-08-28T03:36:49.647283Z",
"event_record_id": 975,
"correlation": {
"#attributes": {
"ActivityID": "F4624E4C-DF38-4BB3-A4DB-3782C9880000"
}
},
"execution": {
"process_id": 480,
"thread_id": 1196
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {
"Name": "CUMRDPProtocolManager",
"CustomLevel": "'CUMRDPProtocolManager::CreateListener(RDP-Tcp) DEBUG/VM/ReverseTCP/ReverseUDP/INET' in CUMRDPProtocolManager::CreateListener at 4134 err=[0x0]"
}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 257: The connection is using advanced RemoteFX RemoteApp graphics.
#Description
The connection is using advanced RemoteFX RemoteApp graphics.
Message #
Event ID 258: The connection is not using advanced RemoteFX RemoteApp graphics
#Description
The connection is not using advanced RemoteFX RemoteApp graphics.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS",
"guid": "1139C61B-B549-4251-8ED3-27250A1EDEC8",
"event_source_name": "",
"event_id": 258,
"version": 0,
"level": 4,
"task": 4,
"opcode": 21,
"keywords": 4611686018427387904,
"time_created": "2019-08-27T17:17:47.617830Z",
"event_record_id": 915,
"correlation": {
"#attributes": {
"ActivityID": "F420C5E0-91BA-4CF1-97FF-34CCD7200000"
}
},
"execution": {
"process_id": 636,
"thread_id": 7572
},
"channel": "Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational",
"computer": "MSEDGEWIN10",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {}
}
References #
- Example event sourced from https://github.com/NextronSystems/evtx-baseline
Event ID 289: Got UDP reverse connect request to URL port Port connection id ConnectionID.
#Event ID 291: UDP reverse connect failed with error Error.
#Event ID 292: Multi transport listener NOT initialized.
#Description
Multi transport listener NOT initialized. UDP reverse connect NOT supported.
Message #
Event ID 293: Multi transport listener initialized.
#Description
Multi transport listener initialized. UDP reverse connect supported.
Message #
Event ID 294: Reverse UDP connect is disabled by SxS registry settings.
#Description
Reverse UDP connect is disabled by SxS registry settings.
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 1139c61b-b549-4251-8ed3-27250a1edec8
Defined in RdpCoreTS.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02