SOC Event Lookup
Event ID 4778LogonP3

Windows Event ID 4778: A session was reconnected to a Window Station

Windows Security Event ID 4778 records reconnection to an existing Terminal Services, Fast User Switching, or Hyper-V Enhanced Session desktop session.

Applicable version
Windows Server 2008 and later where the audit subcategory is enabled
Last reviewed
2026-07-13

Trigger Scenarios

Microsoft documents that this event is generated when a user reconnects to an existing Terminal Services session or switches to an existing desktop.

Key Fields

Account Name / Account Domain / Logon ID

The user and hexadecimal session identifier associated with the reconnect.

Session Name

The terminal session name such as RDP-Tcp#0.

Client Name / Client Address

The reconnecting endpoint. Client Address is the concrete source for RDP session-return investigation.

Common False Positives

  • Normal RDP reconnects after network interruption or user lock/unlock activity.
  • Hyper-V Enhanced Session reconnects can generate the same event.

Related Events

MITRE ATT&CK Mapping

  • T1021.001Remote Services: Remote Desktop Protocol

Detection Notes

Alert when Client Address is a new external or VPN source for a privileged Account Name and Session Name is RDP-Tcp#0 or another RDP session. Microsoft documents Client Address and Session Name for 4778; reconnecting to an existing session can let T1021.001 Remote Desktop Protocol activity resume without a fresh interactive 4624 Type 10 pattern. Correlate Logon ID with 4624, 4779, and command execution after reconnection.

Microsoft Sentinel KQL
SecurityEvent
| where EventID == 4778
| project TimeGenerated, Computer, Account, SessionName, ClientAddress, LogonID
Splunk SPL
index=wineventlog EventCode=4778 | table _time, host, Account_Name, Session_Name, Client_Address, Logon_ID
Sample Log
EventID: 4778
Account Name: admin
Account Domain: CORP
Logon ID: 0x169e9
Session Name: RDP-Tcp#0
Client Name: LAPTOP42
Client Address: 10.42.42.211

Source