4778 A session was reconnected to a Window Station
Written when a user reconnects to a Terminal Services (RDP) session, or returns to an existing desktop via user switching. It is usable for tracking remote session use.
Overview
The subcategory is Audit Other Logon/Logoff Events. It is generated when a user reconnects to an existing RDP session, or switches to an existing desktop via Fast User Switching. It includes the connecting machine name, IP, and account.
How it is triggered
- Reconnecting to a disconnected RDP session.
- Returning to an existing session via Fast User Switching.
Security review points
- If the reconnection source (
Client Name/Client Address) differs from expectations, suspect session hijacking or unauthorized remote access. Paired with disconnect 4779, track who left and returned to the session and when. - Correlate with RDP logon 4624 (Type 10) to understand the remote-access sequence. An attacker may reconnect to an existing session to continue activity.
Notes for log review
- It occurs daily in remote operations. Match the source IP, machine, and account against normal patterns, and note reconnections from anomalous sources.
- Together with disconnect 4779, build the session usage window.
Key fields
| Field | Meaning |
|---|---|
Account Name | The reconnecting account |
Client Name / Client Address | The connecting machine name/IP |
Session Name | The target session |