Thursday, January 9, 2020

Event ID 4778 - A Session was Reconnected to a Window Station

Event ID 4778 - A session was reconnected to a Window Station

Json log sample:{
 "EventTime": "2017/12/17 04:04:12"
 "Hostname": "CIVDCS-ADC1.changeme.com"
 "Keywords": -9214364837600034816
 "EventType": "AUDIT_SUCCESS"
 "SeverityValue": 2
 "Severity": "INFO"
 "EventID": 4778
 "SourceName": "Microsoft-Windows-Security-Auditing"
 "ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
 "Version": 0
 "Task": 12551
 "OpcodeValue": 0
 "RecordNumber": 56517798
 "ProcessID": 528
 "ThreadID": 3232
 "Channel": "Security"
 "Message": "A session was reconnected to a Window Station."
 "Category": "Other Logon/Logoff Events"
 "Opcode": "Info"
 "AccountName": "ChrisR_ADMIN"
 "AccountDomain": "changeme"
 "LogonID": "0x5fa8b0"
 "SessionName": "RDP-Tcp#20"
 "ClientName": "PC008552"
 "ClientAddress": "10.1.45.50"
 "EventReceivedTime": "2017/12/17 04:04:12"
 "SourceModuleName": "wineventlog_in"
 "SourceModuleType": "im_msvistalog"
}

Windows logs this event in two condition:

1. when a user reconnects to a disconnected terminal server (aka Remote Desktop) session as opposed to a fresh logon which is reflected by event 4624.
2. when a user returns to an existing logon session via Fast User Switching.

User Information:
"AccountName" -> user account logon name
"AccountDomain" -> domain name or computer name
"LogonID" -> This is unique number between each reboot and it identifies each logon  session. This can be used to correlate with logoff events 4634, 4647.

Session Information:
"SessionName" -> Name of the session; for Remote Desktop/Terminal Server sessions this field is in the format of RDP-Tcp#0



Client Information:
"ClientAddress" -> In case of remote desktop connection/session. IP address of the computer where the user is physically present
"ClientName" -> In case of remote desktop connection/session, name of computer where user is present.

No comments:

Post a Comment