A session was reconnected to a Window Station
On this page
Windows logs this event when a user reconnects to a disconnected terminal server (aka Remote Desktop) session as opposed to a fresh logon which is reflected by event 4624.
This event is also logged when a user returns to an existing logon session via Fast User Switching.
You can distinguish between instances of this event associated with Fast User Switching and Remote Desktop by Client Name: and Client Address: which in the case of Remote Desktop will normally be different than the local computer. The session name also indicates Remote Desktop with "RDP" as shown in the example.
With console logons and Fast User Switching the session name will be "Console" and Client Name and Address will be "unknown".
The user account involved.
- Security ID: The SID of the account.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
- Session name: name of the session; for Remote Desktop/Terminal Server sessions this field is in the format of RDP-Tcp#0
- Client Name: computer name of the computer where the user is present - applies to remote desktop sessions
- Client Address: IP address of the computer where the user is present - applies to remote desktop sessions
Top 10 Windows Security Events to Monitor
A session was reconnected to a Window Station.
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x169e9
Session Name: RDP-Tcp#0
Client Name: XPEDIT
Client Address: 10.42.42.211
This event is generated when a user reconnects to an existing Terminal Services session, or when a user switches to an existing desktop using Fast User Switching.
Keep me up-to-date on the Windows Security Log.
*We will NOT share this