4779 A session was disconnected from a Window Station
Written when a user disconnects from a Terminal Services (RDP) session, or leaves via user switching. Paired with reconnect 4778, it tracks the remote session usage window.
Overview
The subcategory is Audit Other Logon/Logoff Events. It is generated when a user disconnects from an RDP session, or leaves an existing desktop via Fast User Switching. A disconnect does not end the session; it leaves it in a state that can be reconnected later.
How it is triggered
- Disconnecting an RDP session (severing the connection rather than logging off).
- Switching to another user via Fast User Switching.
Security review points
- Because a disconnect “leaves the session without logging off,” an abandoned session can be reconnected later (including by an attacker). Paired with reconnect 4778, track whose hands the session ended up in.
- Unlike logoff 4647/4634, the session stays alive. View it from the angle of managing lingering sessions.
Notes for log review
- It occurs daily in remote operations. Together with reconnect 4778, build the leave-to-return flow of a session.
- Watch sessions left disconnected for a long time, together with anomalies in the reconnection source.
Key fields
| Field | Meaning |
|---|---|
Account Name | The disconnecting account |
Client Name / Client Address | The connecting machine name/IP |
Session Name | The target session |