EventPeeker
Scan your Security and Sysmon logs·Detection guides
Event ID 4779Audit SuccessSecurity

Windows Event ID 4779Session Disconnected from Window Station

Logged when a user disconnects from a Remote Desktop session without fully logging off — the session remains active in memory.

Why It Matters

Disconnected RDP sessions (not logged off) remain alive and can be reconnected without re-authentication if an attacker gains access to the system. They also keep credentials cached in memory.

Key Fields

Account NameThe user who disconnected
Client Name / Client AddressThe system they disconnected from

Investigation Tips

  1. 1.Many disconnected (not logged off) sessions on a server increase the attack surface.
  2. 2.Check if a 4778 follows this event from an unexpected IP — someone reconnected to the abandoned session.

Seeing Event ID 4779 in your own logs? Upload an .evtx file — EventPeeker flags session disconnected from window station automatically, maps it to MITRE ATT&CK, and writes the triage report. No account, files auto-deleted.

Analyze my logs →

Related Event IDs

4778Session reconnection — may follow this event
4634Account logoff — what should happen instead of disconnect

Go deeper: the full Lateral Movement — Spreading Across the Network guide

Builds on this page with the attack chain, step-by-step investigation, immediate containment actions, KQL/Sigma detection queries, and an annotated example log.

Read the Lateral Movement — Spreading Across the Network guide

See Event ID 4779 in your logs

Upload a Windows Event Log (.evtx) file — EventPeeker automatically detects session disconnected from window station patterns, maps findings to MITRE ATT&CK, and generates an AI triage report.

Analyze EVTX Logs Free →
← All detection guides·Analyze EVTX Logs Free →