Windows Security Log Event ID 4779

Operating Systems Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Logon/Logoff
 • Other Logon/Logoff Events
Type Success
Corresponding events
in Windows 2003
and before
683  

4779: A session was disconnected from a Window Station

On this page

Windows logs this event when a user disconnects from a terminal server (aka remote desktop) session as opposed to an full logoff which triggers event 4647 or 4634.

This event is also logged when a user returns to an existing logon session via Fast User Switching.

You can distinguish between instances of this event associated with Fast User Switching and Remote Desktop by Client Name: and Client Address: which in the case of Remote Desktop will normally be different than the local computer.  The session name also indicates Remote Desktop with "RDP" as shown in the example.

With console logons and Fast User Switching the session name will be "Console" and Client Name: and Client Address: will be "unknown".

Free Security Log Resources by Randy

Description Fields in 4779

Subject:

The user account involved.

  • Account Name: The account logon name.
  • Account Domain: The domain or - in the case of local accounts - computer name.
  • Logon ID is a semi-unique (unique between reboots) number that identifies the logon session.  Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.

Session: 

  • Session name: name of the session; for Remote Desktop/Terminal Server sessions this field is in the format of RDP-Tcp#0 

Additional Information:

  • Client Name: Computer name of the computer where the user is present - applies to remote desktop sessions
  • Client Address: IP address of the computer where the user is present - applies to remote desktop sessions

Supercharger Enterprise


 

Examples of 4779

A session was disconnected from a Window Station.

Subject:

   Account Name:  Administrator
   Account Domain:  WIN-R9H529RIO4Y
   Logon ID:  0x169e9

Session:

   Session Name:  RDP-Tcp#0

Additional Information:

   Client Name:  XPEDIT
   Client Address:  10.42.42.211

This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Upcoming Webinars
    Additional Resources