Sample Environment:
PIMSrv: PIM running machine
RDPCl01: RDP client 1
RDPCl02: RDP client 2
Example Audit log and operation steps:
(Bold record seems to be strange)
1. login to PIMSrv via RDP from RDPCl01
$DateTime P LOGIN PIMSrv\LocalUsr 7bd5e0f1-cac6-4e45-99e8-83f29b11bc80 1059 2 RDPCl01 C:\Windows\System32\lsass.exe
$DateTime P LOGIN PIMSrv\LocalUsr e989f2a9-91cd-415a-9742-ca35a12c323f 1059 2 RDPCl01 C:\Windows\System32\lsass.exe
$DateTime P LOGIN PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b 59 2 PIMSrv C:\Windows\System32\lsass.exe
$DateTime P LOGIN PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b 1059 2 RDPCl01 Terminal Services
2. access protected file via Explorer
$DateTime P FILE PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read 57 3 C:\Protected\Backup C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr
$DateTime P FILE PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read 57 3 C:\Protected\Backup\Recoveried C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr
$DateTime P FILE PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read 57 3 C:\Protected\Backup\Recoveried\sample C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr
$DateTime P FILE PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read, Create 57 3 C:\Protected\desktop.ini C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr
3. logoff from start menu and disconnect RDP session
...
$DateTime O LOGOUT PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b 49 2 RDPCl01 Terminal Services
4. login as same local user at step 1 to PIMSrv via RDP from RDPCl02
$DateTime P LOGIN PIMSrv\LocalUsr 22a29860-1f8c-46b7-a4ec-cbd166b6f3f1 1059 2 RDPCl02 C:\Windows\System32\lsass.exe
$DateTime P LOGIN PIMSrv\LocalUsr 46057ac5-99a4-4f0b-9013-275282e3ab2b 1059 2 RDPCl02 C:\Windows\System32\lsass.exe
$DateTime P LOGIN PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 59 2 PIMSrv C:\Windows\System32\lsass.exe
$DateTime P LOGIN PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 1059 2 RDPCl02 Terminal Services
5. access protected same file at step 2 via Explorer
$DateTime P FILE PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 Read, Create 57 3 C:\Protected\desktop.ini C:\Windows\Explorer.EXE RDPCl02 PIMSrv\LocalUsr
$DateTime P FILE PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 Read, Create 57 3 C:\Protected\Backup\desktop.ini C:\Windows\Explorer.EXE RDPCl02 PIMSrv\LocalUsr
$DateTime P FILE PIMSrv\LocalUsr 3ece5209-3c7d-4afe-a774-c136989a4714 Read 57 3 C:\Protected\Backup C:\Windows\Explorer.EXE RDPCl02 PIMSrv\LocalUsr
$DateTime P FILE PIMSrv\LocalUsr 226916f5-35a6-401b-b179-63f7a253625b Read 57 3 C:\Protected\Backup C:\Windows\Explorer.EXE RDPCl01 PIMSrv\LocalUsr