RDP Event IDs , Description and Event specifications:
| Event IDs | Description | Event Location | Event specifications |
| 21 | Remote Desktop Services: Session Logon S ... | Microsoft-Windows- ... | Logon |
| 22 | Remote Desktop Services: Shell start not ... | Microsoft-Windows-TerminalServices-L ... | Logon |
| 23 | Remote Desktop Services: Session Logoff ... | Microsoft-Windows-TerminalServices-L ... | Process termination |
| 24 | Remote Desktop Services: Session has bee ... | Microsoft-Windows-TerminalServices-L ... | Terminal Service – Local Session |
...
Windows Security Log Event ID 4779.
| Operating Systems | Windows 2008 R2 and 7 Windows 2012 R2 and 8.1 Windows 2016 and 10 Windows Server 2019 and 2022 |
|---|---|
| Type | Success |
What is the event ID for the routing and remote access service?
Event ID: 7024 The Routing and Remote Access service terminated with service-specific error 31 (0x1F). Event ID: 7024 The Routing and Remote Access service terminated with service-specific error 20205 (0x4EED).
What is the error code for the routing and remote access service?
The Routing and Remote Access service terminated with service-specific error 2 (0x2). the old error was ( the Routing and Remote Access service terminated with service-specific error 31 (0x1F) ). I realize this is probably too late for you, but I had this problem, and was able to solve it.
How do I perform a simulated operation on the remote access server?
To demonstrate a simulated operations issue on the Remote Access server, you must stop the (IPHlpSvc) network service. On the Start screen of the Remote Access server, click Administrative Tools, and then double-click Services. In the list of Services, scroll down and right-click IP Helper, and then click Stop.
What is an event log ID?
This ID is unique for each logon session and is also present in various other Event Log entries, making it theoretically useful for tracking/delineating a specific user’s activities, particularly on systems allowing multiple logged on users.
What is the event ID for remote desktop?
EventID 21 – this event appears after a user has been successfully authenticated ( Remote Desktop Services: Session logon succeeded ). This events are located in the “Applications and Services Logs -> Microsoft -> Windows -> TerminalServices-LocalSessionManager -> Operational”.
What is Event ID 40?
Event ID - 40 This event is logged when the event logging service encountered an error when attempting to apply one or more policy settings. Resolution. Group Policy settings need to be changed.
What is Event ID 1024?
This event is logged when Product Update could not be installed. Resolution. Review the system log file. Microsoft Windows Installer encountered an error while installing, updating, or removing an application. For more information about the error, you will need to open Event Viewer and examine the System log file.
What is event ID 300?
This event is created when Windows Hello for Business is successfully created and registered with Azure Active Directory (Azure AD). Applications or services can trigger actions on this event. For example, a certificate provisioning service can listen to this event and trigger a certificate request.
How do I trace a remote desktop connection?
To view this remote desktop activity log, go to the Event Viewer. Under Applications and Services Logs -> Microsoft -> Windows -> Terminal-Services-RemoteConnectionManager > Operational.
Where are Windows RDS logs stored?
How to collect logs. This file is located in the %windir%\Logs folder.
How do I find Windows software installation logs?
View the Windows Setup event logsStart the Event Viewer, expand the Windows Logs node, and then click System.In the Actions pane, click Open Saved Log and then locate the Setup. etl file. By default, this file is available in the %WINDIR%\Panther directory.The log file contents appear in the Event Viewer.
What is TSTheme EXE?
What is TSTheme.exe? The genuine TSTheme.exe file is a software component of Microsoft Windows Operating System by Microsoft Corporation. Microsoft's genuine "TSTheme.exe" executable is the TSTheme Server Module, residing in "C:\Windows\System32".
When reviewing an event with an event ID of 4624 What is the significance of a Type 2 Logon?
Both network and interactive logons are recorded by event ID 4624. The logon type fields shown in the chart below are useful because they help you to identify how the user logged on. Logon type 2 indicates an interactive logon at the console. Type 3 indicates a network logon.
What is OAlerts?
This system is known as the Windows Event Viewer. If you have a copy of the MS Office Suite (Word, Excel, Powerpoint, etc.) installed on your machine, then a special log exists tied specifically to those applications. This is the “OAlerts. evtx” log and it can be examined using the Windows Event Viewer.
Does Windows Hello Work with Active Directory?
For cloud deployments, you can use Windows Hello for Business with Azure Active Directory-joined, Hybrid Azure Active Directory-joined, or Azure AD registered devices. Windows Hello for Business also works for domain joined devices.
How do you fix schannel errors?
How to Fix Schannel Error Event ID 36887 – 4 Methods [Partition Manager]Fix 1: Modify Your Registry.Fix 2: Uninstall Windows Update Patch KB3161606.Fix 3: Perform SFC and DISM Scan.Fix 4: Disable TLS.
What is Windows schannel?
The Microsoft Secure Channel or Schannel is a security package that facilitates the use of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS) encryption on Windows platforms.
What is schannel Fatal Alert 70?
It means communication with the server was attempted using a recognized but unsupported TLS version. If your server is set to accept only communications using TLS 1.2 or newer, for example, then anything that tries to communicate via TLS 1.1 or lower will throw this error.
Simulate an operations issue
Because your Remote Access server is probably configured properly and not experiencing any issues, you can use the following procedure to simulate an operations issue. If your server is currently servicing clients in a production environment, you may not want to take these actions at this time.
Identify the operations issue and take corrective action
Turning off the IP Helper service will cause a serious error on the Remote Access server. The monitoring dashboard will show the operations status of the server and the details of the issue.
Restore the IP Helper service
To restore the IP Helper service on your Remote Access server, you can follow the Resolution steps above to start or restart the service, or you can use the following procedure to reverse the procedure that you used to simulate the IP Helper service failure.
Question
Okay we have some serious problem here with starting the Routing and Remote acces service on Windows 2008 SBS server,
All replies
Whatever else, please put back the IPv6. Contrary to what you may find when searching for fixes, deleting/removing IPv6 is NOT recommended, and in fact may break more things. See the blog post on issues after disabling IPv6 which also address the proper steps for disabling IPv6 if it's necessary.
Network Connection
This section covers the first indications of an RDP logon – the initial network connection to a machine.
Authentication
This section covers the authentication portion of the RDP connection – whether or not the logon is allowed based on success/failure of username/password combo.
Logon
This section covers the ensuing (post-authentication) events that occur upon successful authentication and logon to the system.
Logoff
This section covers the events that occur after a purposeful (Start -> Disconnect, Start -> Logoff) logoff.
Wrap-Up
Hopefully that provides a little better insight into some of the most common and (IME) most empirically useful RDP-related Event logs, when/where you might encounter them, what they mean, what they look like, and (most importantly) how they all fit together.
