Gathering RDP event logs from Windows 10 machines (4292509)

Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

Return

Feedback Submitted

Did this article solve an issue for you?

Select Rating

Title

Gathering RDP event logs from Windows 10 machines
Description

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Please do note we have an Enterprise Solution for Gathering RDP event logs, which we strongly recommend to use instead of this guide.
Link to the other KB
Gathering RDP event logs from Windows clients and server machines (10, Server 2012, 2016, 2019, etc)
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Following this guide will provide steps on how to gather logs from the mstsc.exe, which is often known as Windows Desktop or Remote Desktop Connection app on Windows 10 machines.
Resolution

1) Start the Windows Event Viewer after looking it up in the Start menu, typing 'Event Viewer', or as an alternative:
Use the Windows + R key combination to bring up the Run dialog, then enter eventvwr or eventvwr.msc and hit OK

2) When the Event Viewer is open, select the View option from the command bar and enable the Show Analytic and Debug Logs option:
Note: If this option is already enabled, then a small tick icon will be present in line with the text.
3) In the navigation pane, on the left: Expand the Applications and Services Logs drop-down, then further expand it at Microsoft and under that at Windows.
4) Under Windows please scroll down to and expand the TerminalServices-ClientActiveXCore:
Note: With the 'Show Analytic and Debug Logs' option enabled from step 2), you will be able to see the following 3 terminal services:
Microsoft-Windows-TerminalServices-RDPClient/Analytic
Microsoft-Windows-TerminalServices-RDPClient/Debug
Microsoft-Windows-TerminalServices-RDPClient/Operational
5) Right click on the RDPClient/Debug terminal service and enable logging via the 'Enable Log' option, please proceed with the same on the RDPClient/Analytic terminal service, if logging is not enabled on that.
6) When all of the above set, please do not close the Event Viewer and open the Remote Desktop Connection app to reproduce the RDP connection to the target.
7) After reproducing the connection attempt, please bring up the Event Viewer again and select the RDPClient/Debug terminal service from the navigation pane.

8) On the right side of the window, in the Actions pane, click on the 'Refresh' option: new events should appear under the selected service:
9) To save these new events to a file: after a right click on the selected terminal service in the navigation pane: the 'Save All Events As...' option will be present:

10) As a final step: Name and save the .evtx file
Important to note: Please use the above described method to save new events on all these three mentioned terminal services, then please provide the .evtx files for us as an attachment under the service request.
Note: the previously enabled logging at step 5) can be disabled now, if no further reproductions will follow.