What Is It?
The TerminalServices-LocalSessionManager log contains entries about the allocation of local sessions, which are used for both local and remote interactive logins. It is updated by the Local Session Manager part of Remote Desktop Services (previously called Terminal Services).
What Does It Contain?
This log contains audit information associated with the Local Session Manager (LSM). Though similarly named, local sessions are different from logon sessions.
- A local session stores the logon sessions, desktop layout, etc. for a user’s interactive login (remote or local).
- A logon session is a security concept that defines the access that processes have based on the account that was authenticated.
The Local Session Manager is responsible for creating, destroying, and reconnecting local sessions.
- Local sessions are created when a user logs in for the first time after a logoff or a system reboot.
- Local sessions are closed when a user logs out.
- Local sessions are reconnected when a user switches between local and remote logins or when the remote login disconnects.
- Microsoft calls this Fast User Switching. Learn more about sessions here.
The log contains many types of events, such as when local sessions:
- Are created
- Are closed
- Are reconnected
- Are disconnected
A list of events is given below.
Relevance to DFIR?
This event log is useful when investigating inbound Windows RDP remote logins and local interactive logins. RDP can be used by attackers to remotely control a system once they have account credentials.
Note that if the attackers used remote access software other than Windows RDP, then this log will not have entries for those logins.
Storage Details
The event log file can be found at:
SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx
It can be disabled by setting the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WINEVT\Channels\Microsoft-Windows-TerminalServices-LocalSessionManager/Operational/Enabled registry key to “0”.
Inbound Logon Events
The notable event types in there include:
- Event ID 21 – Session logon succeeded
- Event ID 22 – Shell start notification received
- Event ID 23 – Session logoff succeeded
- Event ID 24 – Session has been disconnected
- Event ID 25 – Session reconnection succeeded
- Event ID 39 – Session has been disconnected by another session
- Explicit disconnect (same session IDs) or kicked off (diff session IDs)
- Event ID 40 – Session disconnect with reason
- Can also be for reconnect
Cyber Triage Status
Cyber Triage collects this log file and parses it to make Inbound Logon sessions.
Sources
- https://learn.microsoft.com/en-us/windows-hardware/customize/desktop/unattend/microsoft-windows-terminalservices-localsessionmanager
- https://ponderthebits.com/2018/02/windows-rdp-related-event-logs-identification-tracking-and-investigation
- https://dfironthemountain.wordpress.com/2019/02/15/rdp-event-log-dfir/
- https://learn.microsoft.com/en-us/windows/win32/shell/fast-user-switching
- https://www.microsoftpressstore.com/articles/article.aspx?p=2224373&seqNum=7
- https://digitalforensicsurvivalpodcast.com/2023/01/31/dfsp-363-rdp-forensics/
- https://openxmldeveloper.org/uncovering-the-role-of-lsm-exe-how-it-helps-manage-windows-operating-systems/
