Note:I translated Japanese into English using Google Translate.
Thank you, Google.
- Windows 10: ID 1149 is recorded when Alice's account is successfully logged on via RDP.
- Windows 10: If you specify the RestrictedAdmin option, the username and domain will be blank.
- Windows 10: If you turn off NLA and log on with Rdesktop, ID 1149 will not be recorded.
What kind of user operation is event ID 1149 recorded? Let's check the record in Windows 10 environment.
Enable Remote Desktop on Windows 10 (1809). NLA is ON.
Start "mstsc.exe" on Windows Server 2019. IP address is specified as the connection destination.
If the Alice account is successfully logged on, ID 1149 is recorded in "Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational".
The ID 1149 is not recorded if the authentication fails, such as the user has made a mistake in the password.
Disconnect RDP connection and connect again.ID 1149 is recorded.
Use Remmina as an RDP client. If logon is successful, ID 1149 is recorded.
Executed with the /restrictedadmin option specified in mstsc. (I have changed the registry settings and enabled RestrictedAdmin mode.)
If the logon is successful, the ID 1149 will be recorded but the username and domain will be blank.
When port forwarding is used at the loopback address.
Another user is logged on, and session arbitration occurs and select "NO". Also in this case, ID 1149 is recorded. (When this screen is displayed, the Alice account has successfully logged on. ID 4624 is recorded.)
Next, turn off NLA.
Use rdesktop as an RDP client. In this case, the ID 1149 is not recorded even if the Alice account is successfully logged on.
In Windows 7 RDP, you can see the following screen. However, I was not able to reproduce the same situation on Windows 10.
So I got a comment from @grayfold3d ! Thank you!
For details, please refer to his tweets.
I created an .RDP file and added the following to the end.
The following screen I was expecting was displayed!
So I checked the event log. ID 1149 was not recorded.
After the above screen is displayed, even if Alice successfully logs on, ID 1149 is not recorded.
The recording pattern of ID 1149 was different between Windows 7 and Windows 10.
By the way, I did not know the mstsc "/public" option. The option suppresses the registry and bitmap cache.
Verification environment: Windows Server 2019 1809, Windows 10 1809, Time zone UTC