File shares set up by users on the terminal server are not identified by the TS Agent and are not mapped to a user in the traffic log.
Resolution:
If the traffic is initiated by an application running with the context of a user (e.g. telnet), the socket information can be intercepted by the TS Agent which will replace the source port. However, if the traffic is generated by a service running with System context, the agent is not able to determine the user information. The TS-Agent will not identify SMB traffic a this is run in a system context.