4778: A session was reconnected to a Window Station

On this page

• Description of this event
• Field level details
• Examples
• Discuss this event
• Mini-seminars on this event

Windows logs this event when a user reconnects to a disconnected terminal server (aka Remote Desktop) session as opposed to a fresh logon which is reflected by event 4624.

This event is also logged when a user returns to an existing logon session via Fast User Switching.

You can distinguish between instances of this event associated with Fast User Switching and Remote Desktop by Client Name: and Client Address: which in the case of Remote Desktop will normally be different than the local computer.  The session name also indicates Remote Desktop with "RDP" as shown in the example.

With console logons and Fast User Switching the session name will be "Console" and Client Name and Address will be "unknown".

Subject:

The user account involved. 

• Security ID:  The SID of the account.
• Account Name: The account logon name.
• Account Domain: The domain or - in the case of local accounts - computer name.
• Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Description Fields in 4778 Session:  Session name: name of the session; for Remote Desktop/Terminal Server sessions this field is in the format of RDP-Tcp#0  Additional Information: Client Name:  computer name of the computer where the user is present - applies to remote desktop sessions Client Address:  IP address of the computer where the user is present - applies to remote desktop sessions Top 10 Windows Security Events to Monitor Examples of 4778 A session was reconnected to a Window Station. Subject:    Account Name:  Administrator    Account Domain:  WIN-R9H529RIO4Y    Logon ID:  0x169e9 Session:    Session Name:  RDP-Tcp#0 Additional Information:    Client Name:  XPEDIT    Client Address:  10.42.42.211 This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching. Keep me up-to-date on the Windows Security Log. Email*: *We will NOT share this

Training for the Windows Security Log

Mini-Seminars Covering Event ID 4778 Security Log Exposed: What is the Difference Between “Account Logon” and “Logon/Logoff” Events?

Discussions on Event ID 4778 Ask a question about this event

 

Upcoming Webinars Cutting through the Hype: What is Big Data Security Analytics? 3 Ways Two-Factor Authentication Can Stop APTs from Spreading Understanding the Security Boundaries and Risks of Multiple Domains, Forests and Trust Relationships 6 Steps to Classifying Your Data Top 6 Security Events to Monitor in SQL Server Top 10 Security Events to Monitor in SharePoint

Additional Resources Security Log Quick Reference Chart Learn about the SharePoint Audit Log Patch Tuesday Analysis

•	All Event IDs
•	Audit Policy