Microsoft-Windows-TerminalServices-LocalSessionManager
47 events across 3 channels
Event ID 10: LogonProcessingStart
#Event ID 11: LogonProcessingStop
#Event ID 16: Local Multi-User session manager failed to start.
#Event ID 17: Remote Desktop Service start failed.
#Description
Remote Desktop Service start failed. The relevant status code was EventXML.Param1.
Message #
Fields #
| Name | Description |
|---|---|
Param1 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
"event_source_name": "",
"event_id": 17,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-03-13T18:28:58.767431+00:00",
"event_record_id": 199,
"correlation": {},
"execution": {
"process_id": 1216,
"thread_id": 1252
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"Param1": "0x80010108"
}
},
"message": ""
}
Event ID 18: Remote Desktop Service is shutdown for unknown reason.
#Description
Remote Desktop Service is shutdown for unknown reason. Will recover in one minute.
Message #
Event ID 19: Registering with Service Control Manager to monitor Remote Desktop Service status failed with Param1, retry in ten minutes.
#Description
Registering with Service Control Manager to monitor Remote Desktop Service status failed with Param1, retry in ten minutes.
Message #
Fields #
| Name | Description |
|---|---|
Param1 HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"event_id": 19,
"level": "Error",
"task": null,
"opcode": "Info",
"time_created": "2026-03-17T19:22:46.0368215+00:00",
"computer": "JD-DC01-2022.ludus.domain",
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational"
},
"event_data": {
"Param1": "0x8007045b"
}
}
Event ID 20: Attempt to send messageName message to Windows video subsystem failed.
#Event ID 21: Remote Desktop Services: Session logon succeeded.
#Description
Remote Desktop Services: Session logon succeeded.
Message #
Fields #
| Name | Description | Rules |
|---|---|---|
EventXML.User | ||
EventXML.SessionID | ||
EventXML.Address | 1 detection rule | |
User | ||
SessionID | ||
Address | 1 detection rule |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "{5D896912-022D-40AA-A3A8-4FA5515C76D7}",
"event_source_name": "",
"event_id": 21,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-05-29T16:33:56.6854498+00:00",
"event_record_id": 109,
"correlation": {
"ActivityID": "{61A55000-55E5-1017-0000-000000000000}"
},
"execution": {
"process_id": 1056,
"thread_id": 5280
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"User": "cell-a\\domainadmin",
"SessionID": "1",
"Address": "LOCAL"
}
},
"message": "Remote Desktop Services: Session logon succeeded:\r\n\r\nUser: cell-a\\domainadmin\r\nSession ID: 1\r\nSource Network Address: LOCAL"
}
Detection Patterns #
TerminalServices-LocalSessionManager Event ID 21: Remote Desktop Services: Session logon succeeded.OREvent ID 24: Remote Desktop Services: Session has been disconnected.OREvent ID 25: Remote Desktop Services: Session reconnection succeeded.ORTerminalServices-RemoteConnectionManager Event ID 1149: Remote Desktop Services: User authentication succeeded.
1 rule
Community Notes #
Remote desktop services shell start. Occurs when a user successfully establishes a session and the shell starts, confirming a successful interactive logon.
Detection Rules #
View all rules referencing this event →Sigma # view in coverage
References #
Event ID 22: Remote Desktop Services: Shell start notification received.
#Description
Remote Desktop Services: Shell start notification received.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.User | |
EventXML.SessionID | |
EventXML.Address | |
User | |
SessionID | |
Address |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "{5D896912-022D-40AA-A3A8-4FA5515C76D7}",
"event_source_name": "",
"event_id": 22,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-05-29T16:33:57.4792419+00:00",
"event_record_id": 110,
"correlation": {
"ActivityID": "{61A55000-55E5-1017-0000-000000000000}"
},
"execution": {
"process_id": 1056,
"thread_id": 5276
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"User": "cell-a\\domainadmin",
"SessionID": "1",
"Address": "LOCAL"
}
},
"message": "Remote Desktop Services: Shell start notification received:\r\n\r\nUser: cell-a\\domainadmin\r\nSession ID: 1\r\nSource Network Address: LOCAL"
}
References #
Event ID 23: Remote Desktop Services: Session logoff succeeded.
#Description
Remote Desktop Services: Session logoff succeeded.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.User | |
EventXML.SessionID | |
User | |
SessionID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "{5D896912-022D-40AA-A3A8-4FA5515C76D7}",
"event_source_name": "",
"event_id": 23,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-06-13T05:22:33.7568572+00:00",
"event_record_id": 112,
"correlation": {
"ActivityID": "{61A55000-55E5-1017-0000-000000000000}"
},
"execution": {
"process_id": 1048,
"thread_id": 7996
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"User": "cell-c\\domainadmin",
"SessionID": "1"
}
},
"message": "Remote Desktop Services: Session logoff succeeded:\r\n\r\nUser: cell-c\\domainadmin\r\nSession ID: 1"
}
References #
Event ID 24: Remote Desktop Services: Session has been disconnected.
#Description
Remote Desktop Services: Session has been disconnected.
Message #
Fields #
| Name | Description |
|---|---|
User | |
SessionID | |
Address |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
"event_source_name": "",
"event_id": 24,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2024-11-22T22:49:17.027344+00:00",
"event_record_id": 2333,
"correlation": {
"ActivityID": "F42007FF-53B7-440F-9169-DEE2D7900000"
},
"execution": {
"process_id": 896,
"thread_id": 2060
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "EC2AMAZ-3NFFVNI",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"User": "EC2AMAZ-3NFFVNI\\samurai",
"SessionID": 5,
"Address": "198.51.100.2"
}
},
"message": "Remote Desktop Services: Session has been disconnected:\n\nUser: EC2AMAZ-3NFFVNI\\samurai\nSession ID: 5\nSource Network Address: 198.51.100.2"
}
Detection Patterns #
TerminalServices-LocalSessionManager Event ID 21: Remote Desktop Services: Session logon succeeded.OREvent ID 24: Remote Desktop Services: Session has been disconnected.OREvent ID 25: Remote Desktop Services: Session reconnection succeeded.ORTerminalServices-RemoteConnectionManager Event ID 1149: Remote Desktop Services: User authentication succeeded.
1 rule
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 25: Remote Desktop Services: Session reconnection succeeded.
#Description
Remote Desktop Services: Session reconnection succeeded.
Message #
Fields #
| Name | Description |
|---|---|
User | |
SessionID | |
Address |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
"event_source_name": "",
"event_id": 25,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2024-11-22T22:48:31.312554+00:00",
"event_record_id": 2323,
"correlation": {
"ActivityID": "F4209548-02F6-4100-AC4D-324EFFDE0000"
},
"execution": {
"process_id": 896,
"thread_id": 4048
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "EC2AMAZ-3NFFVNI",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"User": "EC2AMAZ-3NFFVNI\\samurai",
"SessionID": 4,
"Address": "198.51.100.2"
}
},
"message": "Remote Desktop Services: Session reconnection succeeded:\n\nUser: EC2AMAZ-3NFFVNI\\samurai\nSession ID: 4\nSource Network Address: 198.51.100.2"
}
Detection Patterns #
TerminalServices-LocalSessionManager Event ID 21: Remote Desktop Services: Session logon succeeded.OREvent ID 24: Remote Desktop Services: Session has been disconnected.OREvent ID 25: Remote Desktop Services: Session reconnection succeeded.ORTerminalServices-RemoteConnectionManager Event ID 1149: Remote Desktop Services: User authentication succeeded.
1 rule
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 32: Plugin EventXML.messageName has been successfully initialized.
#Description
Plugin EventXML.messageName has been successfully initialized.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.messageName | |
messageName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "{5D896912-022D-40AA-A3A8-4FA5515C76D7}",
"event_source_name": "",
"event_id": 32,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-05-29T16:32:52.7785637+00:00",
"event_record_id": 106,
"correlation": {},
"execution": {
"process_id": 1056,
"thread_id": 1068
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"messageName": "RDSAppXPlugin"
}
},
"message": "Plugin RDSAppXPlugin has been successfully initialized"
}
Event ID 33: Plugin messageName failed to initialize, error code errorCode.
#Event ID 34: Remote Desktop Services is not accepting logons because setup is running.
#Description
Remote Desktop Services is not accepting logons because setup is running.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
"event_source_name": "",
"event_id": 34,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2023-11-06T06:25:36.031054+00:00",
"event_record_id": 106,
"correlation": {},
"execution": {
"process_id": 500,
"thread_id": 828
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "WinDev2310Eval",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 35: The client process ID Param1 could not complete the session change notification event sent by the Remote Desktop service.
#Event ID 36: An error occurred when transitioning from StateName in response to EventName.
#Description
An error occurred when transitioning from StateName in response to EventName. (ErrorCode ErrorCode).
Message #
Fields #
| Name | Description |
|---|---|
SessionId UInt32 | |
State UInt32 | |
StateName UnicodeString | |
Event UInt32 | |
EventName UnicodeString | |
ErrorCode HexInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
"event_source_name": "",
"event_id": 36,
"version": 0,
"level": 2,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-03-11T03:44:33.193581+00:00",
"event_record_id": 292,
"correlation": {
"ActivityID": "F420E753-C56A-42F2-970E-8E110D740000"
},
"execution": {
"process_id": 1296,
"thread_id": 2560
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {
"SessionId": 4294967295,
"State": 0,
"StateName": "Initialized",
"Event": 1,
"EventName": "EvCreated",
"ErrorCode": "0xd00002fe"
},
"message": ""
}
Event ID 37: Invalid state transition from StateName in response to EventName.
#Event ID 38: Transitioned successfully from PreviousStateName to NewStateName in response to EventName.
#Event ID 39: Session EventXML.TargetSession has been disconnected by session EventXML.Source.
#Description
Session EventXML.TargetSession has been disconnected by session EventXML.Source.
Message #
Fields #
| Name | Description |
|---|---|
TargetSession UInt32 | |
Source UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
"event_source_name": "",
"event_id": 39,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-03-09T00:30:16.216244+00:00",
"event_record_id": 187,
"correlation": {
"ActivityID": "24F57002-F5E4-489C-B423-8C6CF136BD9B"
},
"execution": {
"process_id": 1288,
"thread_id": 3064
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"TargetSession": 1,
"Source": 1
}
},
"message": ""
}
Event ID 40: Session 5 has been disconnected, reason code 12
#Description
Session has been disconnected, reason code.
Message #
Fields #
| Name | Description |
|---|---|
Session | |
Reason |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "5D896912-022D-40AA-A3A8-4FA5515C76D7",
"event_source_name": "",
"event_id": 40,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2024-11-22T22:49:16.916898+00:00",
"event_record_id": 2332,
"correlation": {
"ActivityID": "F42007FF-53B7-440F-9169-DEE2D7900000"
},
"execution": {
"process_id": 896,
"thread_id": 2060
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "EC2AMAZ-3NFFVNI",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"Session": 5,
"Reason": 12
}
},
"message": "Session 5 has been disconnected, reason code 12"
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 41: Begin session arbitration.
#Description
Begin session arbitration.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.User | |
EventXML.SessionID | |
User | |
SessionID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "{5D896912-022D-40AA-A3A8-4FA5515C76D7}",
"event_source_name": "",
"event_id": 41,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-05-29T16:33:48.1776171+00:00",
"event_record_id": 107,
"correlation": {
"ActivityID": "{61A55000-55E5-1017-0000-000000000000}"
},
"execution": {
"process_id": 1056,
"thread_id": 5280
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"User": "cell-a\\domainadmin",
"SessionID": "1"
}
},
"message": "Begin session arbitration:\r\n\r\nUser: cell-a\\domainadmin\r\nSession ID: 1"
}
Event ID 42: End session arbitration.
#Description
End session arbitration.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.User | |
EventXML.SessionID | |
User | |
SessionID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "{5D896912-022D-40AA-A3A8-4FA5515C76D7}",
"event_source_name": "",
"event_id": 42,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-05-29T16:33:48.1836886+00:00",
"event_record_id": 108,
"correlation": {
"ActivityID": "{61A55000-55E5-1017-0000-000000000000}"
},
"execution": {
"process_id": 1056,
"thread_id": 5280
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"user_data": {
"EventXML": {
"User": "cell-a\\domainadmin",
"SessionID": "1"
}
},
"message": "End session arbitration:\r\n\r\nUser: cell-a\\domainadmin\r\nSession ID: 1"
}
Event ID 43: Windows Subsystem has taken too long to process Connect event for session Session.
#Event ID 44: Windows Subsystem has taken too long to process Disconnect event for session Session.
#Event ID 45: Windows Subsystem has taken too long to process Terminate event for session Session.
#Event ID 48: Remote Connection Manager has taken too long to process logon message for session Session.
#Event ID 49: Remote Connection Manager has taken too long to prepare for session arbitration for session Session.
#Event ID 50: Remote Connection Manager has taken too long to process begin-connect-message for session Session.
#Event ID 51: Remote Connection Manager has taken too long to process end-connect-message for session Session.
#Event ID 52: Remote Connection Manager has taken too long to process begin-disconnect-message for session Session.
#Event ID 53: Remote Connection Manager has taken too long to process end-disconnect-message for session Session.
#Event ID 54: Local multi-user session manager received system shutdown message
#Description
Local multi-user session manager received system shutdown message.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"guid": "{5D896912-022D-40AA-A3A8-4FA5515C76D7}",
"event_source_name": "",
"event_id": 54,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-06-13T05:22:31.8771663+00:00",
"event_record_id": 111,
"correlation": {},
"execution": {
"process_id": 1048,
"thread_id": 7996
},
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager/Operational",
"computer": "telemetry-DC-c.cell-c.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "Local multi-user session manager received system shutdown message"
}
Event ID 55: Remote Desktop Service has taken too long to start up
#Description
Remote Desktop Service has taken too long to start up.
Message #
Event ID 56: Remote Desktop Service has taken too long to shutdown
#Description
Remote Desktop Service has taken too long to shutdown.
Message #
Event ID 57: Session SessionID has started with Initial Command Process ID InitCmdPid and Windows Subsystem Process ID Win32kPid.
#Event ID 58: Session SessionID has started with Initial Command Process ID InitCmdPid (InitCmdName) and Windows Subsystem Process ID Win32kPid.
#Event ID 59: Function from CallerImageName( #0xSessionId/0xClientProcessId ).
#Description
Function from CallerImageName( #0xSessionId/0xClientProcessId ).
Message #
Fields #
| Name | Description |
|---|---|
Function AnsiString | |
CallerImageName UnicodeString | |
SessionId UInt32 | |
ClientProcessId UInt32 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-LocalSessionManager",
"event_id": 59,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-04-28T02:27:38.2994946+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-TerminalServices-LocalSessionManager"
},
"event_data": {}
}
Event ID 60: Glass session SessionID has been reconnected to a remote protocol, this session can now only be reconnect locally or from same remote protocol.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID 5d896912-022d-40aa-a3a8-4fa5515c76d7
Defined in lsm.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.3089, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02