Windows Security Log Event ID 4779
Operating Systems |
Windows 2008 R2 and 7
Windows 2012 R2 and 8.1
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Logon/Logoff • Other Logon/Logoff Events |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
683
|
4779: A session was disconnected from a Window Station
On this page
Windows logs this event when a user disconnects from a terminal server (aka remote desktop) session as opposed to an full logoff which triggers event 4647 or 4634.
This event is also logged when a user returns to an existing logon session via Fast User Switching.
You can distinguish between instances of this event associated with Fast User Switching and Remote Desktop by Client Name: and Client Address: which in the case of Remote Desktop will normally be different than the local computer. The session name also indicates Remote Desktop with "RDP" as shown in the example.
With console logons and Fast User Switching the session name will be "Console" and Client Name: and Client Address: will be "unknown".
Free Security Log Resources by Randy
Subject:
The user account involved.
- Account Name: The account logon name.
- Account Domain: The domain or - in the case of local accounts - computer name.
- Logon ID is a semi-unique (unique between reboots) number that identifies the logon session. Logon ID allows you to correlate backwards to the logon event (4624) as well as with other events logged during the same logon session.
Session:
- Session name: name of the session; for Remote Desktop/Terminal Server sessions this field is in the format of RDP-Tcp#0
Additional Information:
- Client Name: Computer name of the computer where the user is present - applies to remote desktop sessions
- Client Address: IP address of the computer where the user is present - applies to remote desktop sessions
Supercharger Enterprise
A session was disconnected from a Window Station.
Subject:
Account Name: Administrator
Account Domain: WIN-R9H529RIO4Y
Logon ID: 0x169e9
Session:
Session Name: RDP-Tcp#0
Additional Information:
Client Name: XPEDIT
Client Address: 10.42.42.211
This event is generated when a user disconnects from an existing Terminal Services session, or when a user switches away from an existing desktop using Fast User Switching.
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection