Remote Desktop Shell Start- Local

Question

Why do I have an EVENT indicating Remote Desktop Shell was started on the LOCAL network address?

I am using Windows11 Home

I have uninstalled:

Remote Desktop and Quick Assist

I do EVERYTHING possible to ensure I do not have any remote activity on my computer.

This is NOT the only concern regarding Remote Activity on/ in my computer

Microsoft-Windows-TerminalServices-LocalSessionManager/Operational

TerminalServices-LocalSessionManager

Event ID: 22

Remote Desktop Services: Shell start notification received:

User: OCT***********\DFly

Session ID: 2

Source Network Address: LOCAL

*** Moved from Windows / Windows 11 / Security and privacy ***

Answer 1

Hello,

Can you recognize the user account: OCT*********\DFly . If this is a legitimate user account on your computer, it could mean that the user (or a process running under that user's context) started a Remote Desktop session.

By default, Windows 11 Home does not support incoming Remote Desktop connections. However, the event you are seeing (Event ID 22) with Source Network Address: LOCAL suggests that a Remote Desktop session was started locally on the machine itself, rather than from an external source.

I hope this information helps.

Best regards,

Karlie Weng

Answer 2

VERY HELPFUL!!

THANK YOU!!!!!

The User Account is mine

Nothing should be creating a Remote Desktop Connection

Where do I go from here??!!!

Answer 3

Hi,

When you monitor the timing of these remote connection events, have you noticed any patterns? Could it be that some software is triggering this activity? Have you conducted a full virus scan? Additionally, you might want to consider disabling the Remote Desktop connection on port 3389 through the firewall to prevent any incoming network traffic