Event ID 4779 - A session was disconnected from a Window Station
Json log sample:
{
"EventTime": "2017/12/17 04:04:12"
"Hostname": "CIVDCS-ADC1.changeme.com"
"Keywords": -9214364837600034816
"EventType": "AUDIT_SUCCESS"
"SeverityValue": 2
"Severity": "INFO"
"EventID": 4779
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 12551
"OpcodeValue": 0
"RecordNumber": 56523387
"ProcessID": 528
"ThreadID": 5356
"Channel": "Security"
"Message": "A session was disconnected from a Window Station."
"Category": "Other Logon/Logoff Events"
"Opcode": "Info"
"AccountName": "Chris_ADMIN"
"AccountDomain": "changeme"
"LogonID": "0x5fa8b0"
"SessionName": "RDP-Tcp#20"
"ClientName": "PC008552"
"ClientAddress": "10.1.45.50"
"EventReceivedTime": "2017/12/17 04:04:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}
{
"EventTime": "2017/12/17 04:04:12"
"Hostname": "CIVDCS-ADC1.changeme.com"
"Keywords": -9214364837600034816
"EventType": "AUDIT_SUCCESS"
"SeverityValue": 2
"Severity": "INFO"
"EventID": 4779
"SourceName": "Microsoft-Windows-Security-Auditing"
"ProviderGuid": "{54849625-5478-4994-A5BA-3E3B0328C30D}"
"Version": 0
"Task": 12551
"OpcodeValue": 0
"RecordNumber": 56523387
"ProcessID": 528
"ThreadID": 5356
"Channel": "Security"
"Message": "A session was disconnected from a Window Station."
"Category": "Other Logon/Logoff Events"
"Opcode": "Info"
"AccountName": "Chris_ADMIN"
"AccountDomain": "changeme"
"LogonID": "0x5fa8b0"
"SessionName": "RDP-Tcp#20"
"ClientName": "PC008552"
"ClientAddress": "10.1.45.50"
"EventReceivedTime": "2017/12/17 04:04:12"
"SourceModuleName": "wineventlog_in"
"SourceModuleType": "im_msvistalog"
}
Windows logs this event in two condition:
1. when a user disconnects from a terminal server (aka remote desktop) session as opposed to an full logoff which triggers event 4647 or 4634.
2. when a user returns to an existing logon session via Fast User Switching.
1. when a user disconnects from a terminal server (aka remote desktop) session as opposed to an full logoff which triggers event 4647 or 4634.
2. when a user returns to an existing logon session via Fast User Switching.
User Information:
"AccountName" -> user account logon name
"AccountDomain" -> domain name or computer name
"LogonID" -> This is unique number between each reboot and it identifies each logon session. This can be used to correlate with logoff events 4634, 4647.
Session Information:
"SessionName" -> Name of the session; for Remote Desktop/Terminal Server sessions this field is in the format of RDP-Tcp#0
Client Information:
"AccountDomain" -> domain name or computer name
"LogonID" -> This is unique number between each reboot and it identifies each logon session. This can be used to correlate with logoff events 4634, 4647.
Session Information:
"SessionName" -> Name of the session; for Remote Desktop/Terminal Server sessions this field is in the format of RDP-Tcp#0
Client Information:
"ClientAddress" -> In case of remote desktop connection/session. IP address of the computer where the user is physically present
"ClientName" -> In case of remote desktop connection/session, name of computer where user is present.
No comments:
Post a Comment