Microsoft-Windows-TerminalServices-RemoteConnectionManager
195 events across 5 channels
Event ID 256: Remote Desktop Services Remote Connection Manager is starting up
#Description
Remote Desktop Services Remote Connection Manager is starting up.
Message #
Event ID 257: Remote Desktop Services Remote Connection Manager has finished start up.
#Event ID 258: Listener http://schemas.
#Description
Listener has started listening.
Message #
Fields #
| Name | Description |
|---|---|
EventXML.listenerName | |
listenerName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "{C76BAA63-AE81-421C-B425-340B4B24157F}",
"event_source_name": "",
"event_id": 258,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-05-29T16:32:54.1040012+00:00",
"event_record_id": 173,
"correlation": {
"ActivityID": "{F462A52A-5DAA-46E2-960E-FB3B92800000}"
},
"execution": {
"process_id": 1300,
"thread_id": 1600
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"listenerName": "31C5CE94259D4006A9E4"
}
},
"message": "Listener 31C5CE94259D4006A9E4 has started listening"
}
Event ID 259: Listener listenerName has stopped listening.
#Event ID 260: Listener listenerName failed while listening.
#Event ID 261: Listener http://schemas.
#Description
Listener received a connection.
Message #
Fields #
| Name | Description |
|---|---|
listenerName |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 261,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2019-02-13T18:04:45.905782+00:00",
"event_record_id": 227,
"correlation": {},
"execution": {
"process_id": 1280,
"thread_id": 1876
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "PC01.example.corp",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
"listenerName": "RDP-Tcp"
}
},
"message": "Listener http://schemas.microsoft.com/win/2004/08/events received a connection"
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 262: Listener listenerName has been asked to stop listening.
#Event ID 263: WDDM graphics mode is enabled
#Description
WDDM graphics mode is enabled.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 263,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-03-11T06:27:38.404213+00:00",
"event_record_id": 253,
"correlation": {
"ActivityID": "F4626F1C-FB1F-4005-81D8-895393540000"
},
"execution": {
"process_id": 1536,
"thread_id": 2316
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
Event ID 272: Connection with ID Param1 has started.
#Event ID 273: Connection with ID Param1 for session Param2 has completed, total time Param3 (ms), stack time Param4 (ms).
#Event ID 274: Reconnect connection ID Param1 to session Param2 took Param3 (ms).
#Event ID 1003: The remote desktop client 'Param1' has provided an invalid license.
#Event ID 1004: The Remote Desktop Session Host server cannot issue a client license.
#Description
The Remote Desktop Session Host server cannot issue a client license. It was unable to issue the license due to a changed (mismatched) client license, insufficient memory, or an internal error. Further details for this problem may have been reported at the client's computer.
Message #
Event ID 1006: The RD Session Host server received large number of incomplete connections.
#Description
The RD Session Host server received large number of incomplete connections. The system may be under attack.
Message #
Event ID 1011: The remote session could not be established from remote desktop client Param1 because its temporary license has expired.
#Event ID 1012: Remote session from client name %1 exceeded the maximum allowed failed logon attempts
#Event ID 1022: TermService clustering failed to redirect a client to an alternate clustered server, ntstatus=
#Event ID 1024: TermService clustering failed to initialize because the Session Directory Provider failed to initialize, hresult=
#Event ID 1035: RD Session Host Server listener stack was down
#Event ID 1036: RD Session Host Server session creation failed
#Event ID 1041: Autoreconnect failed to reconnect user to session because authentication failed
#Event ID 1046: Failed to load RD Session Host Server Profile path
#Event ID 1050: The RD Session Host Server listener %1 is configured with inconsistent authentication and encryption settings
#Event ID 1051: The RD Session Host Server is configured to use SSL with user selected certificate, however, no usable certificate was found on the server
#Event ID 1052: The RD Session Host Server is configured to use a certificate that will expire in %2 days
#Event ID 1053: The RD Session Host Server is configured to use a certificate that is expired
#Event ID 1054: The RD Session Host Server is configured to use a certificate that does not contain an Enhanced Key Usage attribute of Server Authentication
#Event ID 1055: The RD Session Host Server is configured to use a certificate but is unable to access the private key associated with this certificate
#Event ID 1056: A new self signed certificate to be used for RD Session Host Server authentication on SSL connections was generated
#Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"event_id": 1056,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-04-18T03:03:29.6241537+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "System"
},
"event_data": {
"Binary": "711E31623D227BA329E804181302537F5A6E304A",
"Data": "DESKTOP-FF3N5XK.ludus.domain"
}
}
Event ID 1056: A new self signed certificate to be used for RD Session Host Server authentication on SSL connections was generated
#Fields #
| Name | Description |
|---|---|
Data_0 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "{C76BAA63-AE81-421C-B425-340B4B24157F}",
"event_source_name": "",
"event_id": 1056,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 36028797018963968,
"time_created": "2026-05-27T21:58:51.5401996+00:00",
"event_record_id": 1213,
"correlation": {},
"execution": {
"process_id": 2568,
"thread_id": 0
},
"channel": "System",
"computer": "telemetry-W11-d.cell-d.ludus.domain",
"security": {
"user_id": ""
}
},
"event_data": {
"Data_0": "telemetry-W11-d.cell-d.ludus.domain"
},
"message": "A new self signed certificate to be used for RD Session Host Server authentication on SSL connections was generated. The name on this certificate is telemetry-W11-d.cell-d.ludus.domain. The SHA1 hash of the certificate is in the event data."
}
Event ID 1057: The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections
#Event ID 1058: The RD Session Host Server has failed to replace the expired self signed certificate used for RD Session Host Server authentication on SSL connections
#Event ID 1059: The RD Session Host Server authentication certificate configuration data was invalid and the service reset it
#Event ID 1060: The Remote Desktop Services User Home Directory was not set because the path specified does not exist or not accessible
#Event ID 1062: The RD Session Host server is configured to use a template-based certificate for Transport Layer Security (TLS) 1
#Event ID 1063: A new template-based certificate to be used by the RD Session Host server for Transport Layer Security (TLS) 1
#Event ID 1064: The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1
#Event ID 1065: The template-based certificate that is being used by the RD Session Host server for Transport Layer Security (TLS) 1
#Event ID 1066: RD Session Host Server was unable to process session arbitration request
#Event ID 1067: The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication
#Event ID 1068: The RD Licensing mode has not been configured.
#Description
The RD Licensing mode has not been configured.
Message #
Event ID 1069: The RD Licensing grace period has expired and Licensing mode for the Remote Desktop Session Host server has not been configured.
#Description
The RD Licensing grace period has expired and Licensing mode for the Remote Desktop Session Host server has not been configured. Licensing mode must be configured for continuous operation.
Message #
Event ID 1070: A logon request was denied because the RD Session Host server is currently in drain mode and therefore not accepting new user logons
#Event ID 1071: A connection request was denied because the RD Session Host server is currently configured to not accept connections
#Event ID 1072: The cn column for the template-based certificate %1 returned an unknown data type
#Event ID 1073: The msPKI-Cert-Template-OID column for the template-based certificate %1 returned an unknown data type
#Event ID 1136: RD Session Host Server role is not installed.
#Description
RD Session Host Server role is not installed.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "{C76BAA63-AE81-421C-B425-340B4B24157F}",
"event_source_name": "",
"event_id": 1136,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-05-29T16:32:57.4737762+00:00",
"event_record_id": 178,
"correlation": {},
"execution": {
"process_id": 2492,
"thread_id": 3020
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "telemetry-DC-a.cell-a.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": "RD Session Host Server role is not installed."
}
Event ID 1137: The roaming user profile cache manager for Remote Desktop Services could not start.
#Event ID 1138: The roaming user profile cache manager for Remote Desktop Services could not start because an incorrect value was specified for the monitoring inte...
#Event ID 1139: The roaming user profile cache manager for Remote Desktop Services could not start because an incorrect value was specified for the maximum cache s...
#Event ID 1140: The "Limit the size of the entire roaming user profile cache" Group Policy setting has been enabled, but the roaming user profile cache manager for...
#Event ID 1141: The "Limit the size of the entire roaming user profile cache" Group Policy setting has been disabled, but the roaming user profile cache manager fo...
#Event ID 1142: The "Limit the size of the entire roaming user profile cache" Group Policy setting has been enabled.
#Description
The "Limit the size of the entire roaming user profile cache" Group Policy setting has been enabled.
Message #
Event ID 1143: The "Limit the size of the entire roaming user profile cache" Group Policy setting has been disabled.
#Description
The "Limit the size of the entire roaming user profile cache" Group Policy setting has been disabled.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 1143,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-03-13T18:27:00.338529+00:00",
"event_record_id": 177,
"correlation": {},
"execution": {
"process_id": 2248,
"thread_id": 10044
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 1144: The roaming user profile cache manager for Remote Desktop Services could not delete the roaming user profile for the user Param1.
#Description
The roaming user profile cache manager for Remote Desktop Services could not delete the roaming user profile for the user Param1. The roaming user profile cache might still exceed the Param2 gigabyte limit. Error Code: Param3
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString | |
Param2 UInt32 | |
Param3 UInt32 |
Event ID 1145: The roaming user profile cache manager for Remote Desktop Services deleted the roaming user profile for the user Param1 because the roaming user profil...
#Event ID 1146: Remote Desktop Services: Remote control session initiated.
#Event ID 1147: Remote Desktop Services: Remote control session connection succeeded.
#Event ID 1148: Remote Desktop Services: Remote control session connection failed.
#Event ID 1149: Remote Desktop Services: User authentication succeeded.
#Description
Remote Desktop Services: User authentication succeeded.
Message #
Fields #
| Name | Description |
|---|---|
Param1 | |
Param2 | |
Param3 |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 1149,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2019-02-13T18:04:57.452387+00:00",
"event_record_id": 228,
"correlation": {},
"execution": {
"process_id": 1280,
"thread_id": 2748
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "PC01.example.corp",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"xmlns:auto-ns2": "http://schemas.microsoft.com/win/2004/08/events",
"Param1": "admin01",
"Param2": "example",
"Param3": "127.0.0.1"
}
},
"message": "Remote Desktop Services: User authentication succeeded:\n\nUser: http://schemas.microsoft.com/win/2004/08/events\nDomain: admin01\nSource Network Address: example"
}
Detection Patterns #
1 rule
Community Notes #
RDP user auth succeeded, combine with 4624 (successful logon)/4625 (logoff) to track lateral movement.
Detection Rules #
View all rules referencing this event →Splunk # view in coverage
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1150: Remote Desktop Services: User config data have been merged.
#Event ID 1151: The remote user's connection was declined by the logged on user.
#Event ID 1152: Failed to create KVP sessions string.
#Event ID 1153: Failed to write KVP sessions string.
#Event ID 1154: Failed to open KVP registry key.
#Event ID 1155: The Remote Connection Manager selected Kernel mode RDP protocol stack.
#Description
The Remote Connection Manager selected Kernel mode RDP protocol stack.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 1155,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2019-02-13T17:18:28.040385+00:00",
"event_record_id": 220,
"correlation": {
"ActivityID": "8F0C0C22-A5AA-4F83-B10F-0880AB96471F"
},
"execution": {
"process_id": 1280,
"thread_id": 1548
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "PC01.example.corp",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": "The Remote Connection Manager selected Kernel mode RDP protocol stack."
}
References #
- Example event sourced from https://github.com/Yamato-Security/hayabusa-sample-evtx
Event ID 1156: The Remote Connection Manager selected User mode RDP protocol stack.
#Description
The Remote Connection Manager selected User mode RDP protocol stack.
Message #
Event ID 1157: The listener named listenerName has modified some configuration settings.
#Event ID 1158: Remote Desktop Services accepted a connection from IP address EventXML.Param1.
#Description
Remote Desktop Services accepted a connection from IP address EventXML.Param1.
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 1158,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-13T16:46:57.106454+00:00",
"event_record_id": 4,
"correlation": {
"ActivityID": "F420602A-491C-41CA-97CE-1A07AEAA0000"
},
"execution": {
"process_id": 1472,
"thread_id": 4588
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin",
"computer": "LAB-WIN11.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"Param1": "198.51.100.2"
}
},
"message": ""
}
Event ID 1280: Remote Desktop Configuration service could not remove user Param1\Param2 from administrators group, error Code: Param3.
#Event ID 1281: Remote Desktop Configuration service could not remove user Param1\Param2 from Remote Desktop Users group, error Code: Param3.
#Event ID 1282: Remote Desktop Configuration service could not remove user with SID Param1 from administrators group, error Code: Param2.
#Event ID 1283: Remote Desktop Configuration service could not remove user with SID Param1 from Remote Desktop Users group, error Code: Param2.
#Event ID 1284: Remote Desktop Configuration service has added user Param1\Param2 to administrators group.
#Event ID 1285: Remote Desktop Configuration service has added user Param1\Param2 to Remote Desktop Users group.
#Event ID 1286: Remote Desktop Configuration service has removed user with SID Param1 from administrators group.
#Event ID 1287: Remote Desktop Configuration service has removed user with SID Param1 from Remote Desktop Users group.
#Event ID 1288: Remote Desktop Configuration service has removed user Param1\Param2 from administrators group.
#Event ID 1289: Remote Desktop Configuration service has removed user Param1\Param2 from Remote Desktop Users group.
#Event ID 20480: Remote Desktop Services Network Fair Share started.
#Description
Remote Desktop Services Network Fair Share started.
Message #
Event ID 20481: Remote Desktop Services Network Fair Share stopped.
#Description
Remote Desktop Services Network Fair Share stopped.
Message #
Event ID 20482: Remote Desktop Services Network Fair Share was enabled for the user account Param1 with a weight of Param2.
#Event ID 20483: Remote Desktop Service Network Fairshare has been enabled for connection on session Param1 with weight of Param2.
#Event ID 20484: Remote Desktop Services could not enable Network Fair Share for the user account Param1.
#Event ID 20485: Remote Desktop Services could not enable Network Fair Share for the connection on session Param1.
#Event ID 20486: Remote Desktop Services could not enable Network Fair Share for session Param1.
#Event ID 20487: Remote Desktop Services Network Fair Share was disabled for the user account Param1.
#Event ID 20488: Remote Desktop Services Network Fair Share was disabled for the connection on session Param1.
#Event ID 20489: Remote Desktop Services could not disable Network Fair Share for the user account Param1.
#Event ID 20490: Remote Desktop Services could not disable Network Fair Share for the connection on session Param1.
#Event ID 20491: Remote Desktop Services could not disconnect a user disk for the user account with a SID of Param1.
#Event ID 20492: Remote Desktop Services could not detach a user disk for the user account with a SID of Param1.
#Event ID 20493: Remote Desktop Services could not apply a user desktop for a user account with a SID of Param1.
#Description
Remote Desktop Services could not apply a user desktop for a user account with a SID of Param1. A temporary profile was enforced for the user. Verify that the user profile disk settings are correct. The error code is Param2.Param3
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString | |
Param2 HexInt32 | |
Param3 Int32 |
Event ID 20494: Remote Desktop Services could not obtain a user profile disk for the user account with a SID of Param1.
#Description
Remote Desktop Services could not obtain a user profile disk for the user account with a SID of Param1. Verify that the user profile disk location is accessible, the server's computer account has read and write permissions to it, and that the location has a user profile disk template file present. The error code is Param2.Param3
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString | |
Param2 HexInt32 | |
Param3 Int32 |
Event ID 20495: Remote Desktop Services could not attach a user profile disk for a user account with a SID of Param1.
#Event ID 20496: Remote Desktop Services could not apply a user desktop for a user account with a SID of Param1.
#Description
Remote Desktop Services could not apply a user desktop for a user account with a SID of Param1. A temporary profile could not be enforced for the user. The user will get a normal profile, and the user's state will be discarded when the user logs off. Verify that the user profile disk settings are correct. The error code is Param2.Param3
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString | |
Param2 HexInt32 | |
Param3 Int32 |
Event ID 20497: The RD Licensing has taken too long to process the client license
#Description
The RD Licensing has taken too long to process the client license.
Message #
Event ID 20498: Remote Desktop Services has taken too long to complete the client connection
#Description
Remote Desktop Services has taken too long to complete the client connection.
Message #
Event ID 20499: Remote Desktop Services has taken too long to load the user configuration from server UserName for user ServerName.
#Event ID 20500: Remote Desktop Services took time milliseconds to load the user configuration from server UserName for user ServerName.
#Event ID 20501: Remote Desktop Services failed to shutdown within the time allocated
#Description
Remote Desktop Services failed to shutdown within the time allocated.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 20501,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-13T18:32:00.352717+00:00",
"event_record_id": 7,
"correlation": {},
"execution": {
"process_id": 1480,
"thread_id": 12992
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin",
"computer": "LAB-DC01.ludus.domain",
"security": {
"user_id": "S-1-5-20"
}
},
"event_data": {},
"message": ""
}
Event ID 20502: Remote Desktop Services failed to retrieve information about a connection for session Session within the time allocated.
#Event ID 20503: Shadow View Session Started.
#Event ID 20504: Shadow View Session Stopped.
#Event ID 20506: Shadow Control Session Started.
#Event ID 20507: Shadow Control Session Stopped.
#Event ID 20508: Shadow View Permission Granted.
#Event ID 20509: Shadow View Permission Denied.
#Event ID 20510: Shadow Control Permission Granted.
#Event ID 20511: Shadow Control Permission Denied.
#Event ID 20512: Shadow Session Failure.
#Event ID 20513: Shadow Session Failure.
#Event ID 20514: Shadow Session Failure.
#Event ID 20515: Session Session has been idle over its time limit, and was logged off.
#Event ID 20516: Session Session has been idle over its time limit, and was disconnected.
#Event ID 20517: Session Session has exceeded its time limit, and was logged off.
#Event ID 20518: Session Session has exceeded its time limit, and was disconnected.
#Event ID 20519: Session Session has exceeded its disconnect time limit, and was logged off.
#Event ID 20520: User config info will be loaded from domain controller for this Param1 connection.
#Event ID 20521: User config info will be loaded from local machine for this EventXML.Param1 connection.
#Description
User config info will be loaded from local machine for this EventXML.Param1 connection.
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 20521,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 4611686018427387904,
"time_created": "2026-03-11T06:31:11.531699+00:00",
"event_record_id": 16,
"correlation": {
"ActivityID": "F420649C-F05B-4253-B980-683E9A630000"
},
"execution": {
"process_id": 1536,
"thread_id": 2316
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"Param1": "RDP-Tcp"
}
},
"message": ""
}
Event ID 20522: Shadow Session Clipboard Copy Request.
#Event ID 20523: Connection from listener EventXML.ListenerName will have terminal class of EventXML.Class.
#Description
Connection from listener EventXML.ListenerName will have terminal class of EventXML.Class.
Message #
Fields #
| Name | Description |
|---|---|
ListenerName UnicodeString | |
Class GUID |
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"guid": "C76BAA63-AE81-421C-B425-340B4B24157F",
"event_source_name": "",
"event_id": 20523,
"version": 0,
"level": 4,
"task": 0,
"opcode": 0,
"keywords": 1152921504606846976,
"time_created": "2026-03-11T06:27:24.766379+00:00",
"event_record_id": 244,
"correlation": {
"ActivityID": "F462B7C1-94B7-4A0B-B9BF-0F6B56B60000"
},
"execution": {
"process_id": 1536,
"thread_id": 1836
},
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-20"
}
},
"user_data": {
"EventXML": {
"ListenerName": "31C5CE94259D4006A9E4",
"Class": "D5993EAE-8D06-4A05-9CB4-94CEA280DC6B"
}
},
"message": ""
}
Event ID 20524: Supplemental Kerberos credentials are not configured
#Description
Supplemental Kerberos credentials are not configured.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"event_id": 20524,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-04-18T03:03:29.3344433+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "Microsoft-Windows-TerminalServices-RemoteConnectionManager"
},
"event_data": {}
}
Event ID 20525: Successfully updated supplemental Kerberos credential Param1 in Param2 logon session.
#Event ID 20526: Successfully removed supplemental Kerberos credential Param1 from Param2 logon session.
#Event ID 20527: Failed to update supplemental Kerberos credentials.
#Event ID 20528: Failed to update supplemental Kerberos credential Param1 in Param2 logon session.
#Event ID 20529: Failed to remove supplemental Kerberos credential Param1 from Param2 logon session.
#Event ID 20530: Supplemental Kerberos credential Param1 configuration is invalid.
#Event ID 20531: Remote Desktop Service's Threadpool is in terminated state.
#Description
Remote Desktop Service's Threadpool is in terminated state. Remote Desktop Connections may not work, this usually happens when TermService is being shutdown. If this was unintentional, restart Termservice manually.
Message #
Event ID 24576: Remote Desktop Configuration service could not remove user {Param1}\{Param2} from administrators group; error Code: {Param3}.
#Event ID 24577: Remote Desktop Configuration service could not remove user with SID {Param1} from administrators group; error Code: {Param2}.
#Event ID 24578: Remote Desktop Configuration service has added user {Param1}\{Param2} to administrators group.
#Event ID 50180: The remote session could not be established from remote desktop client Param1 because its license could not be renewed.
#Event ID 50195: The Remote Desktop Session Host server cannot communicate with the Remote Desktop license server Param1.
#Description
The Remote Desktop Session Host server cannot communicate with the Remote Desktop license server Param1. Ensure that the computer account for the Remote Desktop Session Host server is a member of the RDS Endpoint Servers group on the license server.
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString |
Event ID 50213: Remote Desktop Session Host server was unable to retrieve users licensing information from AD.
#Event ID 50214: Remote Desktop Session Host server was successfully validated errorCode licensing information from AAD.
#Event ID 50215: Remote Desktop Session Host server was unable to retrieve user licensing information from AAD.
#Event ID 50216: Remote Desktop Session Host server was unable to validate RDS license.
#Event ID 50280: The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses.
#Description
The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses. A RD Licensing server is required for continuous operation. A Remote Desktop Session Host server can operate without a license server for 120 days after initial start up.
Message #
Event ID 50281: The RD Licensing grace period is about to expire on Param1 and the service has not registered with a license server with installed licenses.
#Description
The RD Licensing grace period is about to expire on Param1 and the service has not registered with a license server with installed licenses. A RD Licensing server is required for continuous operation. A Remote Desktop Session Host server can operate without a license server for 120 days after initial start up.
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString |
Event ID 50282: The Remote Desktop Session Host server does not have a Remote Desktop license server specified.
#Description
The Remote Desktop Session Host server does not have a Remote Desktop license server specified. To specify a license server for the Remote Desktop Session Host server, use the Remote Desktop Session Host Configuration tool.
Message #
Event ID 50283: The Remote Desktop Session Host server could not contact the Remote Desktop license server Param1.
#Description
The Remote Desktop Session Host server could not contact the Remote Desktop license server Param1. Ensure that the Remote Desktop Licensing service is running on the license server, that the license server is accepting network requests, and that the license server is registered in WINS and DNS.
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString |
Event ID 50284: The Remote Desktop license server Param1 does not support the version of the operating system running on the Remote Desktop Session Host server.
#Event ID 50285: The certificate issued by the Remote Desktop license server to the Remote Desktop Session Host server is not valid.
#Description
The certificate issued by the Remote Desktop license server to the Remote Desktop Session Host server is not valid. The license server will not issue Remote Desktop Services client access licenses to clients connecting to the Remote Desktop Session Host server. To resolve this issue, delete the certificate on the Remote Desktop Session Host server and then restart the Remote Desktop Services service.
Message #
Event ID 50304: The Remote Desktop Virtualization Host server cannot issue a client license.
#Description
The Remote Desktop Virtualization Host server cannot issue a client license. It was unable to issue the license due to a changed (mismatched) client license, insufficient memory, or an internal error. Further details for this problem may have been reported at the client's computer.
Message #
Event ID 50305: The RD Licensing grace period has expired and Licensing mode for the Remote Desktop Virtualization Host server has not been configured.
#Description
The RD Licensing grace period has expired and Licensing mode for the Remote Desktop Virtualization Host server has not been configured. Licensing mode must be configured for continuous operation.
Message #
Event ID 50306: The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses.
#Description
The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses. A RD Licensing server is required for continuous operation. A Remote Desktop Virtualization Host server can operate without a license server for 120 days after initial start up.
Message #
Event ID 50307: The RD Licensing grace period is about to expire on Param1 and the service has not registered with a license server with installed licenses.
#Description
The RD Licensing grace period is about to expire on Param1 and the service has not registered with a license server with installed licenses. A RD Licensing server is required for continuous operation. A Remote Desktop Virtualization Host server can operate without a license server for 120 days after initial start up.
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString |
Event ID 50308: The Remote Desktop Virtualization Host server does not have a Remote Desktop license server specified.
#Description
The Remote Desktop Virtualization Host server does not have a Remote Desktop license server specified. To specify a license server for the Remote Desktop Virtualization Host server, use the RDS module for Windows PowerShell.
Message #
Event ID 50309: The Remote Desktop Virtualization Host server could not contact the Remote Desktop license server Param1.
#Description
The Remote Desktop Virtualization Host server could not contact the Remote Desktop license server Param1. Ensure that the Remote Desktop Licensing service is running on the license server, that the license server is accepting network requests, and that the license server is registered in WINS and DNS.
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString |
Event ID 50310: The Remote Desktop license server Param1 does not support the version of the operating system running on the Remote Desktop Virtualization Host server.
#Event ID 50311: The certificate issued by the Remote Desktop license server to the Remote Desktop Virtualization Host server is not valid.
#Description
The certificate issued by the Remote Desktop license server to the Remote Desktop Virtualization Host server is not valid. The license server will not issue licenses to clients connecting to the Remote Desktop Virtualization Host server. To resolve this issue, delete the certificate on the Remote Desktop Virtualization Host server and then restart the Remote Desktop Services service.
Message #
Event ID 50312: The Remote Desktop Virtualization Host server cannot communicate with the Remote Desktop license server Param1.
#Description
The Remote Desktop Virtualization Host server cannot communicate with the Remote Desktop license server Param1. Ensure that the computer account for the Remote Desktop Virtualization Host server is a member of the RDS Endpoint Servers group on the license server.
Message #
Fields #
| Name | Description |
|---|---|
Param1 UnicodeString |
Event ID 1073742836: Remote session from client name %1 exceeded the maximum allowed failed logon attempts.
#Description
Remote session from client name exceeded the maximum allowed failed logon attempts. The session was forcibly terminated.
Message #
Event ID 3221226494: TermService clustering failed to redirect a client to an alternate clustered server, ntstatus=.
#Description
TermService clustering failed to redirect a client to an alternate clustered server, ntstatus=.
Message #
Event ID 3221226496: TermService clustering failed to initialize because the Session Directory Provider failed to initialize, hresult=.
#Description
TermService clustering failed to initialize because the Session Directory Provider failed to initialize, hresult=.
Message #
Event ID 3221226507: RD Session Host Server listener stack was down.
#Description
RD Session Host Server listener stack was down. The relevant status code .
Message #
Event ID 3221226508: RD Session Host Server session creation failed.
#Description
RD Session Host Server session creation failed. The relevant status code was .
Message #
Event ID 3221226513: Autoreconnect failed to reconnect user to session because authentication failed.
#Description
Autoreconnect failed to reconnect user to session because authentication failed. ().
Message #
Event ID 3221226518: Failed to load RD Session Host Server Profile path.
#Description
Failed to load RD Session Host Server Profile path. Note that the profile path must be less than 256 characters in length. User Name: Domain.
Message #
Event ID 3221226522: The RD Session Host Server listener %1 is configured with inconsistent authentication and encryption settings.
#Description
The RD Session Host Server listener %1 is configured with inconsistent authentication and encryption settings. The Encryption Level is currently set to %2 and Security Layer is set to %3. These settings were automatically corrected to allow connections to proceed. Please change the Security Layer and Encryption Level settings in Group Policy or by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder.
Message #
Event ID 3221226523: The RD Session Host Server is configured to use SSL with user selected certificate, however, no usable certificate was found on the server.
#Description
The RD Session Host Server is configured to use SSL with user selected certificate, however, no usable certificate was found on the server. The default certificate will be used for RD Session Host Server authentication from now on. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder.
Message #
Event ID 3221226524: The RD Session Host Server is configured to use a certificate that will expire in %2 days.
#Description
The RD Session Host Server is configured to use a certificate that will expire in %2 days. %1 The SHA1 hash of the certificate is in the event data. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder.
Message #
Event ID 3221226525: The RD Session Host Server is configured to use a certificate that is expired.
#Description
The RD Session Host Server is configured to use a certificate that is expired. %1 The SHA1 hash of the certificate is in the event data. The default certificate will be used for RD Session Host Server authentication from now on. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder.
Message #
Event ID 3221226526: The RD Session Host Server is configured to use a certificate that does not contain an Enhanced Key Usage attribute of Server Authentication.
#Description
The RD Session Host Server is configured to use a certificate that does not contain an Enhanced Key Usage attribute of Server Authentication. %1 The SHA1 hash of the certificate is in the event data. The default certificate will be used for RD Session Host Server authentication from now on. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder.
Message #
Event ID 3221226527: The RD Session Host Server is configured to use a certificate but is unable to access the private key associated with this certificate.
#Description
The RD Session Host Server is configured to use a certificate but is unable to access the private key associated with this certificate. %1 The SHA1 hash of the certificate is in the event data. The default certificate will be used for RD Session Host Server authentication from now on. Please check the security settings by using the Remote Desktop Session Host Configuration tool in the Administrative Tools folder.
Message #
Event ID 3221226528: A new self signed certificate to be used for RD Session Host Server authentication on SSL connections was generated.
#Description
A new self signed certificate to be used for RD Session Host Server authentication on SSL connections was generated. The name on this certificate is %1. The SHA1 hash of the certificate is in the event data.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-RemoteConnectionManager",
"event_id": 1056,
"level": 4,
"task": 0,
"opcode": 0,
"time_created": "2026-04-18T03:03:29.6241537+00:00",
"computer": "DESKTOP-FF3N5XK.ludus.domain",
"channel": "System"
},
"event_data": {
"Binary": "711E31623D227BA329E804181302537F5A6E304A",
"Data": "DESKTOP-FF3N5XK.ludus.domain"
}
}
Event ID 3221226529: The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections.
#Description
The RD Session Host Server has failed to create a new self signed certificate to be used for RD Session Host Server authentication on SSL connections. The relevant status code was .
Message #
Event ID 3221226530: The RD Session Host Server has failed to replace the expired self signed certificate used for RD Session Host Server authentication on SSL connecti...
#Description
The RD Session Host Server has failed to replace the expired self signed certificate used for RD Session Host Server authentication on SSL connections. The relevant status code was .
Message #
Event ID 3221226531: The RD Session Host Server authentication certificate configuration data was invalid and the service reset it.
#Description
The RD Session Host Server authentication certificate configuration data was invalid and the service reset it. If the computer was configured to use a specific certificate, please verify it is available in the certificate store and use the administrative tools to select it again.
Message #
Event ID 3221226532: The Remote Desktop Services User Home Directory was not set because the path specified does not exist or not accessible.
#Description
The Remote Desktop Services User Home Directory was not set because the path specified does not exist or not accessible. The default Home Directory Path was used instead. User Name: Domain.
Message #
Event ID 3221226533: Remote Desktop Session Host server was unable to retrieve users Licensing information from AD.
#Event ID 3221226534: The RD Session Host server is configured to use a template-based certificate for Transport Layer Security (TLS) 1.
#Description
The RD Session Host server is configured to use a template-based certificate for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption, but the subject name on the certificate is invalid. %1 The SHA1 hash of the certificate is in the event data. Therefore, the default certificate will be used by the RD Session Host server for authentication. To resolve this issue, make sure that template used to create this certificate is configured to use DNS name as subject name .
Message #
Event ID 3221226535: A new template-based certificate to be used by the RD Session Host server for Transport Layer Security (TLS) 1.
#Description
A new template-based certificate to be used by the RD Session Host server for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption has been installed. The name for this certificate is %1. The SHA1 hash of the certificate is provided in the event data.
Message #
Event ID 3221226536: The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.
#Description
The RD Session Host server cannot install a new template-based certificate to be used for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption. The following error occured: %1.
Message #
Event ID 3221226537: The template-based certificate that is being used by the RD Session Host server for Transport Layer Security (TLS) 1.
#Description
The template-based certificate that is being used by the RD Session Host server for Transport Layer Security (TLS) 1.0\Secure Sockets Layer (SSL) authentication and encryption has expired and cannot be replaced by the RD Session Host server. The following error occurred: %1.
Message #
Event ID 3221226538: RD Session Host Server was unable to process session arbitration request.
#Description
RD Session Host Server was unable to process session arbitration request. Error.
Message #
Event ID 3221226539: The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication.
#Description
The RD Session Host server cannot register 'TERMSRV' Service Principal Name to be used for server authentication. The following error occured: .
Message #
Event ID 3221226542: A logon request was denied because the RD Session Host server is currently in drain mode and therefore not accepting new user logons.
#Description
A logon request was denied because the RD Session Host server is currently in drain mode and therefore not accepting new user logons. To configure the server to allow new user logons, use the Remote Desktop Services Configuration tool.
Message #
Event ID 3221226543: A connection request was denied because the RD Session Host server is currently configured to not accept connections.
#Description
A connection request was denied because the RD Session Host server is currently configured to not accept connections. To configure the server to allow connections, use the chglogon command-line tool.
Message #
Event ID 3221226544: The cn column for the template-based certificate %1 returned an unknown data type %2.
#Description
The cn column for the template-based certificate returned an unknown data type .
Message #
Event ID 3221226545: The msPKI-Cert-Template-OID column for the template-based certificate %1 returned an unknown data type %2.
#Description
The msPKI-Cert-Template-OID column for the template-based certificate returned an unknown data type .
Message #
Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID c76baa63-ae81-421c-b425-340b4b24157f
Defined in termsrv.dll, which carries the event manifest.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.2849, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02