EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4779Audit SuccessSecurity

Windows Event ID 4779Session Disconnected from Window Station

Logged when a user disconnects from a Remote Desktop session without fully logging off — the session remains active in memory.

Why It Matters

Disconnected RDP sessions (not logged off) remain alive and can be reconnected without re-authentication if an attacker gains access to the system. They also keep credentials cached in memory.

Key Fields

Account NameThe user who disconnected
Client Name / Client AddressThe system they disconnected from

Investigation Tips

  1. 1.Many disconnected (not logged off) sessions on a server increase the attack surface.
  2. 2.Check if a 4778 follows this event from an unexpected IP — someone reconnected to the abandoned session.

Related Event IDs

4778Session reconnection — may follow this event
4634Account logoff — what should happen instead of disconnect

See Event ID 4779 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects session disconnected from window station patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →