Question Analysis

DeviceRegistryEvents | where RegistryKey contains "Terminal Server" and RegistryValueData == "0" | summarize by InitiatingProcessCommandLine | distinct InitiatingProcessCommandLine

DeviceRegistryEvents | where RegistryKey contains "Terminal Server" and RegistryValueName == "fSingleSessionPerUser" | project TimeGenerated, DeviceName, InitiatingProcessCommandLine | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey has 'Terminal Server' and PreviousRegistryValueName == 'fSingleSessionPerUser' and RegistryValueData =~ '0' | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueData

DeviceRegistryEvents | where RegistryKey contains "Terminal Server" and RegistryValueName == "fSingleSessionPerUser" and RegistryValueData == "0" | project DeviceName, InitiatingProcessCommandLine, InitiatingProcessAccountName, TimeGenerated

let reg_change = DeviceRegistryEvents | where RegistryValueName =~ "fSingleSessionPerUser" | where RegistryKey has @"\Control\Terminal Server" | where RegistryKey startswith "HKEY_LOCAL_MACHINE" or RegistryKey startswith "HKLM" | where ActionType == "RegistryValueSet" | extend NewVal = tostring(RegistryValueData), OldVal = tostring(PreviousRegistryValueData) | where NewVal in ("0", "00000000", "0x0", "0x00000000") or (OldVal in ("1", "00000001", "0x1", "0x00000001") and NewVal !in ("1", "00000001", "0x1", "0x00000001")) | project TimeGenerated, DeviceId, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountDomain, InitiatingProcessAccountName; reg_change | summarize Events=count(), FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated) by DeviceId, DeviceName, Utility=InitiatingProcessFileName | join kind=leftouter ( reg_change | summarize arg_max(TimeGenerated, *) by DeviceId, Utility=InitiatingProcessFileName | project DeviceId, Utility, LatestTime=TimeGenerated, LatestCommandLine=InitiatingProcessCommandLine ) on DeviceId, Utility | project DeviceName, Utility, LatestCommandLine, Events, FirstSeen, LastSeen | order by LastSeen desc

DeviceRegistryEvents | where RegistryKey has_cs "Terminal Server" or RegistryKey has_cs "fSingleSessionPerUser" or RegistryValueName has_cs "fSingleSessionPerUser" | where ActionType in ("RegistryValueSet", "RegistryValueDeleted", "RegistryKeyCreated", "RegistryKeyDeleted", "RegistryValueWrite", "SetValue", "SetValueKey", "Write") | extend Key=RegistryKey, ValueName=coalesce(RegistryValueName, "") | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessCreationTime, Key, ValueName, RegistryValueData, PreviousRegistryValueData, ActionType, ReportId | sort by TimeGenerated desc | limit 50 // Join with DeviceProcessEvents to enrich with parent process information and broader process command line context | join kind=leftouter ( DeviceProcessEvents | project ProcessTime=TimeGenerated, DeviceName2=DeviceName, ProcessId=ProcessId, ProcessFileName=FileName, ProcessCommandLine=ProcessCommandLine, InitiatingProcessParentId=InitiatingProcessParentId, InitiatingProcessParentFileName=InitiatingProcessParentFileName ) on $left.DeviceName == $right.DeviceName2 and $left.InitiatingProcessId == $right.ProcessId | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, ProcessFileName, ProcessCommandLine, InitiatingProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain, InitiatingProcessCreationTime, Key, ValueName, RegistryValueData, PreviousRegistryValueData, ActionType | sort by TimeGenerated desc | limit 100

// Detect changes to Terminal Server single-session-per-user registry value and show initiating command-line utility DeviceRegistryEvents | where RegistryValueName =~ "fSingleSessionPerUser" // include events where the key path references Terminal Server | where RegistryKey contains "Terminal Server" or RegistryKey contains "\\Control\\Terminal Server" // filter for value set/modify actions or when data is present | where ActionType in ("SetValue", "SetValueKey", "ValueSet", "RegistryValueSet", "Modify", "Set") or isnotempty(RegistryValueData) | extend ChangeTime = TimeGenerated | project ChangeTime, DeviceName, DeviceId, InitiatingProcessId, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain, RegistryKey, RegistryValueName, RegistryValueData, PreviousRegistryValueData, ActionType | sort by ChangeTime desc | summarize arg_max(ChangeTime, *) by DeviceId, InitiatingProcessId, RegistryKey, RegistryValueName | top 100 by ChangeTime

let changes = union DeviceRegistryEvents, DeviceEvents | where isnotempty(RegistryKey) | extend rk = tolower(RegistryKey), rvn = tolower(RegistryValueName), rvd = tostring(RegistryValueData) // Look for Terminal Server registry path or the fSingleSessionPerUser value name | where rk contains "terminal server" or rvn contains "singlesession" or rvn contains "fsinglesessionperuser" // Value set to 0 (may appear as "0", "0x0", etc.) — adjust if you expect different encoding | where rvd contains "0" or rvd contains "0x0" | extend Executable = tolower(extract(@"([^\\]+)$", 1, InitiatingProcessFileName)) | project TimeGenerated, DeviceName, Executable, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessId, RegistryKey, RegistryValueName, RegistryValueData, ActionType, ReportId; // Recent matching events (detail) changes | sort by TimeGenerated desc | take 50 // Summary by initiating executable ; changes | summarize Events=count(), LastSeen=max(TimeGenerated) by Executable | order by Events desc | take 20

DeviceRegistryEvents | where TimeGenerated >= ago(1d) | where RegistryKey contains "Terminal Server" or RegistryKey contains "WinStations" or RegistryKey contains "TerminalServer" | where RegistryValueName in ("fSingleSessionPerUser","SingleSessionPerUser") | where RegistryValueData =~ "0" | project TimeGenerated, DeviceName, DeviceId, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessCreationTime, InitiatingProcessId, InitiatingProcessAccountName, InitiatingProcessAccountDomain | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey contains "Terminal Server" | where RegistryValueData == "0" // Assuming '0' indicates the disabling of single-session per user | project DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessCommandLine, InitiatingProcessFileName, Timestamp | summarize arg_max(Timestamp, *) by InitiatingProcessCommandLine // Get the most recent event per unique command line | order by Timestamp desc

DeviceRegistryEvents | where RegistryKey has "Control\\Terminal Server" | where RegistryValueName =~ "fSingleSessionPerUser" | where RegistryValueData == "0" | project TimeGenerated, DeviceName, ActionType, InitiatingProcessFileName, InitiatingProcessCommandLine, InitiatingProcessAccountName, InitiatingProcessAccountDomain

DeviceRegistryEvents | where RegistryKey has "\\Control\\Terminal Server" | where RegistryValueName == "fSingleSessionPerUser" | where RegistryValueData == "0" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueData | order by TimeGenerated desc

DeviceRegistryEvents | where RegistryKey contains "Terminal Server" and RegistryValueName == "fSingleSessionPerUser" and RegistryValueData =~ "0" | project TimeGenerated, DeviceName, InitiatingProcessFileName, InitiatingProcessCommandLine, RegistryKey, RegistryValueName, RegistryValueData | sort by TimeGenerated desc | limit 10

DeviceRegistryEvents | where RegistryKey contains "Terminal Server" | where RegistryValueName == "fSingleSessionPerUser" and RegistryValueData == "0" | project TimeGenerated, DeviceName, RegistryKey, RegistryValueName, RegistryValueData, InitiatingProcessFileName, InitiatingProcessCommandLine | order by TimeGenerated desc | take 20