Ask a new question

Hacked? RDP logs on Windows 11 Home edition

A few days ago, I decided to check Event Viewer Logs after noticing a few oddities with my PC. I have Windows 11 Home Edition installed, so RDP should be disabled by default. Yet I found hundreds of events logged in the Terminal Service Local Session Manager Operational Logs. The events had the EventIDs 21, 22, 23, 24, 34, 39, 40, 41, 42, 54 (and probably some more). There were multiple Events logged each day, yet I never used RDP once, and as I've previously mentioned, I have Windows 11 Home Edition installed. I did a clean reset not that long ago, so now I'm suspecting that I was hacked, the Hacker already established persistance and uses RDP as one of his tools. Can someone confirm/deny my suspicions?

Hi

Welcome to Microsoft community.

I'm glad to help you.

Have you used any third-party software that involves remote operations? This type of software may also cause system events.

At the same time, you can also create a new local account to check if the offline local account has the same problem.

The clean reset you described uses the reset option in Windows Settings. If it's just a simple reset, I recommend that you back up your data after a clean reinstall of your Windows and check if the problem is gone.

Disclaimer: Please back up all your important data before performing it.

The above steps can help you rule out if your computer has been hacked.

If anything is unclear, please do not hesitate to let me know.

Best regards

Derrick Qian | Microsoft Community Support Specialist

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi

Welcome to Microsoft community.

I'm glad to help you.

Have you used any third-party software that involves remote operations? This type of software may also cause system events.

At the same time, you can also create a new local account to check if the offline local account has the same problem.

The clean reset you described uses the reset option in Windows Settings. If it's just a simple reset, I recommend that you back up your data after a clean reinstall of your Windows and check if the problem is gone.

Disclaimer: Please back up all your important data before performing it.

The above steps can help you rule out if your computer has been hacked.

If anything is unclear, please do not hesitate to let me know.

Best regards

Derrick Qian | Microsoft Community Support Specialist

Thank you for taking the time to respond.

No, I don't use any kind of third-party software that could've caused this. What's more, the first RDP-logs happened while I was still setting up the reinstalled OS (the first ~10 attempts were all logged as failure for that very reason). I did use the Windows reset option, but with a Cloud-install and with secure erasing of every personal data. At the time I was convinced that this would be enough.

1 person found this reply helpful

·

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

PS: Because you asked me to create a new local account: I always logged in as Administrator with my Microsoft-account (I know now that this is a bad practice). Does this generate Local Session Manager Operational Logs?

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

Hi

Thanks for your reply.

The new administrator local account is just to check whether the same problem will occur again. You don't need to worry too much. Once the test is completed, you can delete the new administrator local account.

Was this reply helpful?

Sorry this didn't help.

Great! Thanks for your feedback.

How satisfied are you with this reply?

Thanks for your feedback, it helps us improve the site.

How satisfied are you with this reply?

Thanks for your feedback.

 
 

Question Info

Last updated April 17, 2025 Views 1,058 Applies to: