Microsoft-Windows-TerminalServices-ClientActiveXCore
75 events across 3 channels
Event ID 225: StateTransitionName: Transitioned successfully from PreviousStateName to NewStateName in response to EventName.
#Description
StateTransitionName: Transitioned successfully from PreviousStateName to NewStateName in response to EventName.
Message #
Fields #
| Name | Description |
|---|---|
StateTransitionName UnicodeString | |
PreviousState UInt32 | |
PreviousStateName UnicodeString | |
NewState UInt32 | |
NewStateName UnicodeString | |
Event UInt32 | |
EventName UnicodeString |
Event ID 226: StateTransitionName: An error was encountered when transitioning from PreviousStateName to NewStateName in response to EventName (error code Error Code).
#Description
StateTransitionName: An error was encountered when transitioning from PreviousStateName to NewStateName in response to EventName (error code Error Code).
Message #
Fields #
| Name | Description |
|---|---|
StateTransitionName UnicodeString | |
PreviousState UInt32 | |
PreviousStateName UnicodeString | |
NewState UInt32 | |
NewStateName UnicodeString | |
Event UInt32 | |
EventName UnicodeString | |
ErrorCode UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 226,
"version": 0,
"level": 3,
"task": 104,
"opcode": 19,
"keywords": 4611686018427387904,
"time_created": "2026-03-13T18:26:54.989202+00:00",
"event_record_id": 4,
"correlation": {
"ActivityID": "DB2461B3-3531-4655-AE9C-36EB94410000"
},
"execution": {
"process_id": 12488,
"thread_id": 13944
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"StateTransitionName": "RDPClient_SSL",
"PreviousState": 2,
"PreviousStateName": "TsSslStateHandshakeStart",
"NewState": 10,
"NewStateName": "TsSslStateDisconnecting",
"Event": 7,
"EventName": "TsSslEventStartHandshakeFailed",
"Error Code": 2147500037
},
"message": ""
}
Event ID 227: StateTransitionName: MCS Channel Join Confirmation received: ChannelID = ChannelID, ChannelName = ChannelName.
#Event ID 1000: task_0
#Fields #
| Name | Description |
|---|---|
Function UnicodeString | |
Line UnicodeString | |
DebugMessage UnicodeString |
Event ID 1001: RDP ClientActiveX is trying to connect to the server (Value).
#Event ID 1002: RDP ClientActiveX has connected to the server
#Description
RDP ClientActiveX has connected to the server.
Message #
Event ID 1003: RDP ClientActiveX has been disconnected (Reason= Value).
#Event ID 1004: Client has logged on to the server (SessionId = Value).
#Event ID 1005: Client failed to logon on to the server (Error = ErrorCode).
#Event ID 1006: Client machine has lost network connectivity (Reason= ErrorCode).
#Event ID 1007: DNS failed to resolve the server name (Error= ErrorCode).
#Event ID 1008: The credentials provided are authenticated by the server
#Event ID 1009: The credentials provided were failed to be authenticated by the server
#Event ID 1010: RDP ClientActiveX is connecting to a gateway server (Name=Value).
#Event ID 1011: RDP ClientActiveX succeeded in connecting to the gateway server
#Description
RDP ClientActiveX succeeded in connecting to the gateway server.
Message #
Event ID 1012: RDP ClientActiveX failed to connect to the gateway server(Error= ErrorCode).
#Event ID 1013: RDP ClientActiveX is trying to automatically reconnect to the server (Value).
#Event ID 1014: RDP ClientActiveX succeeded in automatically connecting to the server
#Event ID 1015: RDP ClientActiveX failed to automatically connect to the server (Reason= TraceMessage).
#Event ID 1016: Client has a license to connect to the server
#Event ID 1017: Client does not have a license to connect to the server (Error= ErrorCode).
#Event ID 1018: RDP ClientActiveX failed to connect to the server (Error = ErrorCode).
#Event ID 1019: TraceMessage.
#Event ID 1020: RDP ClientActiveX has recorded the following error - ErrorCode.
#Event ID 1021: RDP ClientActiveX's gateway transport has recorded the following error - Value.
#Event ID 1022: TraceMessage.
#Event ID 1023: RDP Client ActiveX has started using RemoteFX for graphics decoding (decoder type = Value).
#Event ID 1024: RDP ClientActiveX is trying to connect to the server (Value).
#Description
RDP ClientActiveX is trying to connect to the server (Value).
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Value UnicodeString | |
CustomLevel UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1024,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:36.580526+00:00",
"event_record_id": 1,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 11240
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Name": "Server Name",
"Value": "29A7892D-8743-4A3F-85E3-06FE9D7977B4",
"CustomLevel": "Info"
},
"message": ""
}
Detection Rules #
View all rules referencing this event →Splunk # view in coverage
References #
- Windows Forensic Artifacts https://github.com/Psmths/windows-forensic-artifacts/blob/main/network/evtx-1024-rdp-activex.md
Event ID 1025: RDP ClientActiveX has connected to the server
#Description
RDP ClientActiveX has connected to the server.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1025,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:37.058263+00:00",
"event_record_id": 4,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 5172
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 1026: RDP ClientActiveX has been disconnected (Reason= Value).
#Description
RDP ClientActiveX has been disconnected (Reason= Value).
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Value UInt32 | |
CustomLevel UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "{28AA95BB-D444-4719-A36F-40462168127E}",
"event_source_name": "",
"event_id": 1026,
"version": 0,
"level": 4,
"task": 101,
"opcode": 11,
"keywords": 4611686018427387904,
"time_created": "2026-04-16T22:43:34.7715095+00:00",
"event_record_id": 15,
"correlation": {
"ActivityID": "{CA27B9FB-05E9-46ED-A43C-B3EB30180000}"
},
"execution": {
"process_id": 17100,
"thread_id": 17348
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Name": "Disconnect Reason",
"Value": "1",
"CustomLevel": "Info"
},
"message": "RDP ClientActiveX has been disconnected (Reason= 1)"
}
Event ID 1027: Connected to domain (DomainName) with session SessionId.
#Event ID 1028: Server supports SSL = TraceMessage.
#Description
Server supports SSL = TraceMessage.
Message #
Fields #
| Name | Description |
|---|---|
TraceMessage UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1028,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:36.991587+00:00",
"event_record_id": 2,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 5172
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"TraceMessage": "not supported"
},
"message": ""
}
Event ID 1029: Base64(SHA256(UserName)) is = TraceMessage.
#Description
Base64(SHA256(UserName)) is = TraceMessage.
Message #
Fields #
| Name | Description |
|---|---|
TraceMessage UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1029,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:36.992493+00:00",
"event_record_id": 3,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 11240
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"TraceMessage": "-"
},
"message": ""
}
Event ID 1030: RDP Client build BuildBranch BuildDate BuildTime BuildVersion ArchAndFlavour.
#Event ID 1031: Invalid format error occured when decoding packet of type TraceMessage.
#Event ID 1032: Component name:ErrorCode, :: ErrorDescription.
#Event ID 1033: Component name:Name, :: CustomLevel, Error code:Value.
#Event ID 1034: Component name:ErrorCode, :: ErrorDescription.
#Event ID 1100: The client detected the link latency is Value milliseconds.
#Event ID 1101: The client detected the bandwidth is Value kbps/second.
#Event ID 1102: The client has initiated a multi-transport connection to the server Value.
#Description
The client has initiated a multi-transport connection to the server Value.
Message #
Fields #
| Name | Description |
|---|---|
Name UnicodeString | |
Value UnicodeString | |
CustomLevel UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "{28AA95BB-D444-4719-A36F-40462168127E}",
"event_source_name": "",
"event_id": 1102,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-04-16T21:56:41.7226635+00:00",
"event_record_id": 9,
"correlation": {
"ActivityID": "{CA27B9FB-05E9-46ED-A43C-B3EB30180000}"
},
"execution": {
"process_id": 17100,
"thread_id": 17460
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {
"Name": "ServerAddress",
"Value": "10.2.10.91",
"CustomLevel": "Info"
},
"message": "The client has initiated a multi-transport connection to the server 10.2.10.91."
}
Event ID 1103: The client has established a multi-transport connection to the server.
#Description
The client has established a multi-transport connection to the server.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "{28AA95BB-D444-4719-A36F-40462168127E}",
"event_source_name": "",
"event_id": 1103,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-04-16T21:56:41.9856707+00:00",
"event_record_id": 11,
"correlation": {
"ActivityID": "{CA27B9FB-05E9-46ED-A43C-B3EB30180000}"
},
"execution": {
"process_id": 17100,
"thread_id": 17168
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "The client has established a multi-transport connection to the server."
}
Event ID 1104: The client failed to establish the multi-transport connection.
#Event ID 1105: The multi-transport connection has been disconnected.
#Description
The multi-transport connection has been disconnected.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1105,
"version": 0,
"level": 4,
"task": 101,
"opcode": 10,
"keywords": 4611686018427387904,
"time_created": "2026-03-13T18:26:54.989606+00:00",
"event_record_id": 5,
"correlation": {
"ActivityID": "DB2461B3-3531-4655-AE9C-36EB94410000"
},
"execution": {
"process_id": 12488,
"thread_id": 13944
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": ""
}
Event ID 1106: Close event, code = Code.
#Event ID 1107: Disconnect trace:ComponentName "Message", Error code:ErrorCode.
#Event ID 1201: The RdClient has been forced exit since cancelling existing workspace job took too long.
#Description
The RdClient has been forced exit since cancelling existing workspace job took too long.
Message #
Event ID 1202: The user has clicked sign out on the OOB Client ribbon.
#Description
The user has clicked sign out on the OOB Client ribbon.
Message #
Event ID 1203: The user has clicked Refresh on the OOB client ribbon.
#Description
The user has clicked Refresh on the OOB client ribbon.
Message #
Event ID 1204: The user tried to login into ADAL with a different user name than the one he/she subscribed to initially.
#Description
The user tried to login into ADAL with a different user name than the one he/she subscribed to initially.
Message #
Event ID 1205: Event: Workspace Event succeeded for Tenant = TenantId , TotalTimeWithoutAdal = TotalTimeWithoutAdal ms, AdalTime = AdalTime ms.
#Description
Event: Workspace Event succeeded for Tenant = TenantId , TotalTimeWithoutAdal = TotalTimeWithoutAdal ms, AdalTime = AdalTime ms. NumberOfResources = ErrorCode.
Message #
Fields #
| Name | Description |
|---|---|
Event UnicodeString | |
TenantId UnicodeString | |
TotalTimeWithoutAdal UInt32 | |
AdalTime UInt32 | |
ErrorCode UInt32 |
Event ID 1206: Event: Workspace Event failed for Tenant = TenantId.
#Event ID 1207: RDP Client build BuildBranch BuildDate BuildTime BuildVersion ArchAndFlavour.
#Event ID 1208: Feed discovery succeeded.
#Event ID 1209: Feed discovery failed.
#Event ID 1210: Feed cache corruption encountered.
#Event ID 1211: Consent status updated successfully.
#Event ID 1212: Consent status update failed.
#Event ID 1213: The user has clicked view invitations on the OOB client ribbon.
#Description
The user has clicked view invitations on the OOB client ribbon.
Message #
Event ID 1214: Base64(SHA256(UserName)) = UserNameHash, TimeZone Bias = TimeZoneBias, TimeZone Name = TimeZoneName.
#Event ID 1215: Refresh Time = refreshTime, Number of feeds = numberOfFeeds.
#Event ID 1216: ADAL error code = ErrorCode, description = ErrorDescription.
#Event ID 1217: ADAL token collected successfully
#Description
ADAL token collected successfully.
Message #
Event ID 1227: RadcClientType entering stage RadcClientStage.
#Event ID 1228: RadcClientStage with http event type RadcHttpEvent.
#Event ID 1229: RadcClientStage with http event type RadcHttpEvent and http status code Code.
#Event ID 1230: RadcClientStage with http event type RadcHttpEvent failed with xresult Code.
#Event ID 1401: The server is using version Version of the RDP graphics protocol (client mode: ClientMode, AVC available: AvcEnabled).
#Description
The server is using version Version of the RDP graphics protocol (client mode: ClientMode, AVC available: AvcEnabled).
Message #
Fields #
| Name | Description |
|---|---|
Version HexInt32 | |
ClientMode UInt32 | |
AvcEnabled UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1401,
"version": 0,
"level": 4,
"task": 106,
"opcode": 36,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:37.635292+00:00",
"event_record_id": 6,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 3796
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {
"Version": "0x80004",
"ClientMode": 0,
"AvcEnabled": 0
},
"message": ""
}
Event ID 1402: The client is using hardware memory for the frame buffer.
#Description
The client is using hardware memory for the frame buffer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "{28AA95BB-D444-4719-A36F-40462168127E}",
"event_source_name": "",
"event_id": 1402,
"version": 0,
"level": 4,
"task": 106,
"opcode": 37,
"keywords": 4611686018427387904,
"time_created": "2026-04-16T21:56:42.1393173+00:00",
"event_record_id": 12,
"correlation": {
"ActivityID": "{CA27B9FB-05E9-46ED-A43C-B3EB30180000}"
},
"execution": {
"process_id": 17100,
"thread_id": 14148
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "JD-WIN11-22H2-1.ludus.domain",
"security": {
"user_id": "S-1-5-21-1006758700-2167138679-1475694448-1105"
}
},
"event_data": {},
"message": "The client is using hardware memory for the frame buffer."
}
Event ID 1403: The client is using software memory for the frame buffer.
#Description
The client is using software memory for the frame buffer.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ClientActiveXCore",
"guid": "28AA95BB-D444-4719-A36F-40462168127E",
"event_source_name": "",
"event_id": 1403,
"version": 0,
"level": 4,
"task": 106,
"opcode": 38,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:32:37.464424+00:00",
"event_record_id": 5,
"correlation": {
"ActivityID": "2C2C9D66-5F3D-4BCB-872E-D1B715C30000"
},
"execution": {
"process_id": 11236,
"thread_id": 3796
},
"channel": "Microsoft-Windows-TerminalServices-RDPClient/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-21-3407486967-1585450050-1838039599-1000"
}
},
"event_data": {},
"message": ""
}
Event ID 1404: The client encountered an issue while decoding and displaying RDP graphics (component: Component, function: Function, error code: ErrorCode).
#Event ID 1501: TraceMessage.
#Event ID 1502: TraceMessage.
#Event ID 1503: TraceMessage.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 28aa95bb-d444-4719-a36f-40462168127e
Defined in mstscax.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.3915, captured 2026-06-02