EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4778Audit SuccessSecurity

Windows Event ID 4778Session Reconnected to Window Station

Logged when a user reconnects to an existing Remote Desktop session. Indicates RDP re-connection activity.

Why It Matters

Unexpected RDP reconnections — especially to systems that shouldn't have remote access enabled — can indicate an attacker re-establishing a dormant foothold.

Key Fields

Account NameThe user reconnecting
Client Name / Client AddressThe system they are connecting from
Session NameRDP-Tcp#0 etc.

Investigation Tips

  1. 1.Compare the Client Address to known admin workstations — unexpected IPs warrant investigation.
  2. 2.Off-hours reconnections to servers or domain controllers are high-priority alerts.

Seeing Event ID 4778 in your own logs? Upload an .evtx file — EventPeeker flags session reconnected to window station automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4779Session disconnected from Window Station
4624Logon event for the original session

Go deeper: the full Lateral Movement — Spreading Across the Network guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Lateral Movement — Spreading Across the Network guide

See Event ID 4778 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects session reconnected to window station patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →