devnulli
Legitimate users getting blocked
User OS: Windows 10 Home Edition, fully updated Dest OS: Windows 11 LTSC, fully updated, no special group policies at all, all by default
Method of access: the standard MSTSC application, login/password are saved.
For some reasons EvlWatcher randomly blocks the user trying to connect from their PC.
It happens every week or so, IOW, most login attempts go through but some result in a block.
I've no idea why it's happening since the login/password are saved and never entered manually, i.e. there should be no failed login attempts.
Same here. Not recommend to use this software. At first it worked with no issue. 2 days later it started to block legitimate users. Didnt found any failed attemp that could cause it. And same as you, users have their password saved.
this is weird that this happens to you, but interesting nonetheless. could you check if logging in with saved password produces an event log entry in
Microsoft-Windows-SMBServer/Security Security Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational Application
and if so, post the event log entry please.
These are the events that pop up in security.
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4776</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>14336</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:32:35.146224800Z" />
<EventRecordID>4940126</EventRecordID>
<Correlation ActivityID="{a8cb33be-36c0-0001-4506-cca8c036dc01}" />
<Execution ProcessID="612" ThreadID="1192" />
<Channel>Security</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
<Data Name="PackageName">MICROSOFT_AUTHENTICATION_PACKAGE_V1_0</Data>
<Data Name="TargetUserName">administrador</Data>
<Data Name="Workstation">RCT-FICHADAS</Data>
<Data Name="Status">0x0</Data>
</EventData>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4648</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:32:35.147143200Z" />
<EventRecordID>4940127</EventRecordID>
<Correlation ActivityID="{a8cb33be-36c0-0000-2634-cba8c036dc01}" />
<Execution ProcessID="612" ThreadID="1192" />
<Channel>Security</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">RCT-FICHADAS$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetUserName">Administrador</Data>
<Data Name="TargetDomainName">RCT-FICHADAS</Data>
<Data Name="TargetLogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TargetServerName">localhost</Data>
<Data Name="TargetInfo">localhost</Data>
<Data Name="ProcessId">0x8d8</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="IpAddress">My_IP_Address</Data>
<Data Name="IpPort">0</Data>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4624</EventID>
<Version>2</Version>
<Level>0</Level>
<Task>12544</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:32:35.147163200Z" />
<EventRecordID>4940128</EventRecordID>
<Correlation ActivityID="{a8cb33be-36c0-0000-2634-cba8c036dc01}" />
<Execution ProcessID="612" ThreadID="1192" />
<Channel>Security</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">RCT-FICHADAS$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-144813216-1237421318-2777882272-500</Data>
<Data Name="TargetUserName">Administrador</Data>
<Data Name="TargetDomainName">RCT-FICHADAS</Data>
<Data Name="TargetLogonId">0x2561091</Data>
<Data Name="LogonType">10</Data>
<Data Name="LogonProcessName">User32 </Data>
<Data Name="AuthenticationPackageName">Negotiate</Data>
<Data Name="WorkstationName">RCT-FICHADAS</Data>
<Data Name="LogonGuid">{00000000-0000-0000-0000-000000000000}</Data>
<Data Name="TransmittedServices">-</Data>
<Data Name="LmPackageName">-</Data>
<Data Name="KeyLength">0</Data>
<Data Name="ProcessId">0x8d8</Data>
<Data Name="ProcessName">C:\Windows\System32\svchost.exe</Data>
<Data Name="IpAddress">My_IP_Address</Data>
<Data Name="IpPort">0</Data>
<Data Name="ImpersonationLevel">%%1833</Data>
<Data Name="RestrictedAdminMode">%%1843</Data>
<Data Name="TargetOutboundUserName">-</Data>
<Data Name="TargetOutboundDomainName">-</Data>
<Data Name="VirtualAccount">%%1843</Data>
<Data Name="TargetLinkedLogonId">0x0</Data>
<Data Name="ElevatedToken">%%1842</Data>
</EventData>
</Event>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-Auditing" Guid="{54849625-5478-4994-a5ba-3e3b0328c30d}" />
<EventID>4627</EventID>
<Version>0</Version>
<Level>0</Level>
<Task>12554</Task>
<Opcode>0</Opcode>
<Keywords>0x8020000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:32:35.147182600Z" />
<EventRecordID>4940129</EventRecordID>
<Correlation ActivityID="{a8cb33be-36c0-0000-2634-cba8c036dc01}" />
<Execution ProcessID="612" ThreadID="1192" />
<Channel>Security</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
<Data Name="SubjectUserSid">S-1-5-18</Data>
<Data Name="SubjectUserName">RCT-FICHADAS$</Data>
<Data Name="SubjectDomainName">WORKGROUP</Data>
<Data Name="SubjectLogonId">0x3e7</Data>
<Data Name="TargetUserSid">S-1-5-21-144813216-1237421318-2777882272-500</Data>
<Data Name="TargetUserName">Administrador</Data>
<Data Name="TargetDomainName">RCT-FICHADAS</Data>
<Data Name="TargetLogonId">0x2561091</Data>
<Data Name="LogonType">10</Data>
<Data Name="EventIdx">1</Data>
<Data Name="EventCountTotal">1</Data>
<Data Name="GroupMembership">
%{S-1-5-21-144813216-1237421318-2777882272-513}
%{S-1-1-0}
%{S-1-5-114}
%{S-1-5-32-544}
%{S-1-5-32-545}
%{S-1-5-14}
%{S-1-5-4}
%{S-1-5-11}
%{S-1-5-15}
%{S-1-5-113}
%{S-1-2-0}
%{S-1-5-64-10}
%{S-1-16-12288}</Data>
</EventData>
</Event>
These appear on Application
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Desktop Window Manager" />
<EventID Qualifiers="16384">9027</EventID>
<Level>4</Level>
<Task>0</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:32:34.783139500Z" />
<EventRecordID>8239</EventRecordID>
<Channel>Application</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="49152">16394</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:32:36.298764900Z" />
<EventRecordID>8240</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="16384">8230</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:32:39.501894100Z" />
<EventRecordID>8241</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
<Data>Security-SPP-Action-StateData (REG_SZ) =AppId=55c92734-d682-4d71-983e-d6ec3f16059f;GraceEndDate=2038/01/19:03:13:37;LastConsumptionReason=0x00000000;LastNotificationId=VolumeRenewalRequired;LicenseState=SL_LICENSING_STATUS_LICENSED;PartialProductKey=J464C;ProductKeyType=Volume:GVLK;SkuId=de32eafd-aaee-4662-9444-c1befb41bde2;ruleId=502ff3ba-669a-4674-bbb1-601f34a3b968;uxDifferentiator=ENVIRONMENT;volumeActivationOrder=normal</Data>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="16384">1003</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:32:39.845649700Z" />
<EventRecordID>8242</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
<Data>55c92734-d682-4d71-983e-d6ec3f16059f</Data>
<Data>
1: 22105925-48c3-4ff4-a294-f654bb27e390, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
2: 281c216a-5957-439b-adf2-aff4098a2bdd, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
3: 2e7a9ad1-a849-4b56-babe-17d5a29fe4b4, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
4: 3c006fa7-3b03-45a4-93da-63ddc1bdce11, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
5: 4285bbda-6219-4c1a-98e9-859e60d669fb, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
6: 44a5b4c3-e4b1-483b-81e8-0f78f4d98283, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
7: 661f7658-7035-4b4c-9f35-010682943ec2, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
8: 6bad0243-1c35-46b2-b8e6-7a853e37413f, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
9: 82fcf64d-f9dd-4411-9c79-f2eed16d4eb8, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
10: 84e331f6-4279-48c4-ab10-b75139181351, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
11: 8ea56c31-fe6e-4d56-9d17-8dc1ab35dd8b, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
12: 92114319-12ea-4bca-9d63-8740de9feff3, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
13: 9db83b52-9904-4326-8957-ebe6feedf37c, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
14: c2d23e1f-ee3e-4533-9094-e6dc0b8aa049, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
15: d07edbd8-02cb-49b1-8358-f2de7afd8a4d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
16: de32eafd-aaee-4662-9444-c1befb41bde2, 1, 1 [(0 [0x00000000, 1, 0], [(?)( 1 0x00000000)(?)( 2 0x00000000 0 0 msft:rm/algorithm/volume/1.0 0x00000000 6458921)(?)(?)( 10 0x00000000 msft:rm/algorithm/flags/1.0)(?)])(1 )(2 )(3 )]
17: e73aabfa-12bc-4705-b551-2dd076bebc7d, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
18: e936f630-5125-4a39-b1de-544d6c036491, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
19: fd946594-6f0d-4c5c-9bf7-f5f628ecd0b9, 1, 0 [(0 [0xC004F014, 0, 0], [(?)(?)(?)(?)(?)(?)(?)(?)])(1 )(2 )(3 )]
</Data>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="49152">8198</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:32:39.892517900Z" />
<EventRecordID>8243</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
<Data>hr=0x80004005</Data>
<Data>RuleId=502ff3ba-669a-4674-bbb1-601f34a3b968;Action=AutoActivateSilent;AppId=55c92734-d682-4d71-983e-d6ec3f16059f;SkuId=de32eafd-aaee-4662-9444-c1befb41bde2;NotificationInterval=1440;Trigger=UserLogon;SessionId=3</Data>
</EventData>
</Event>
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-Security-SPP" Guid="{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}" EventSourceName="Software Protection Platform Service" />
<EventID Qualifiers="16384">16384</EventID>
<Version>0</Version>
<Level>4</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2025-10-08T18:33:09.895226700Z" />
<EventRecordID>8244</EventRecordID>
<Correlation />
<Execution ProcessID="0" ThreadID="0" />
<Channel>Application</Channel>
<Computer>Rct-Fichadas</Computer>
<Security />
</System>
<EventData>
<Data>2025-10-09T18:32:09Z</Data>
<Data>RulesEngine</Data>
</EventData>
</Event>
Hope didnt miss any. There were a bunch. But not in Microsoft-Windows-SMBServer/Security. I found much more on Microsoft-Windows-RemoteDesktopServices-RdpCoreTS/Operational. But there were too many. Like 54 events. At first glance didnt see any error If you want, i can put them here . Gonna take a while.
EDIT: Never metioned this. But in my case. I have windows server 2019 standard version 1809 comp 17763.7009
EDIT: Never metioned this. But in my case. I have windows server 2019 standard version 1809 comp 17763.7009
Hi @birdie-github and @juankorn , it seems that the default settings threshold of 5 connections (pass OR fail, both are counted) in 120 seconds is too strict for the Server 2019 connections. While the threshold is good for everyday use in win10/win11 workgroup environments, WinServer 2016+ is very verbose in its output of logs. Specifically since the program is watching the win logs for events pertaining to RDP and it's verbose, that limit is reached quite quickly.
Thankfully, it's an easy fix to change in the config.xml file Simply up the threshold from 5 events in 2 mins (120 seconds) to 10 or 20 events in 5 mins (300 seconds). This will allow more flexibility for users to connect, while still preventing the hammering on RDP ports that EvlWatcher is used for directly.
https://github.com/devnulli/EvlWatcher/blob/8ba46b59ba0be93a65e98b3855be15d40a83a1da/Source/EvlWatcher/EvlWatcher/config.xml#L147
Simply change these values, restart the service, and verify that you're no longer getting this issue. Be aware this might take a bit of tweaking to dial in to your use case. Hope this helps! Let's continue to troubleshoot if you have questions. Thanks!
@devnulli I can't find any error other than this setting that would prevent further connections. Let me know if I'm missing something obvious on this. 👍
