Penetration Testing mailing list archives
Re: XP RDP event log 682 ?
From: H Carvey <keydet89 () yahoo com>
Date: 14 Dec 2004 19:28:14 -0000
In-Reply-To: <BAY24-DAV3EF0369DD0B58FF913A23DAAA0 () phx gbl> Bill,
I have a few event log 682's (user has reconnected to a disconnected TS session) on an XP machine at work that shows: Session Name: Console Client Name: Unknown Client Address: Unknown All other event log 682's show Session Name: RDP-Tcp# and they also display the Client Name and Address. Does this mean that these Unknown ones connected via Console were connections made by someone who hacked the password and used a stealthed OS ?
Perhaps not (what's a "stealthed OS"???) A quick search on EventID.net reveals: http://www.eventid.net/display.asp?eventid=682&eventno=1802&source=Security&phase=1 On TechNet: http://www.microsoft.com/technet/security/guidance/secmod144.mspx Scroll down to "Logon Events". See also: "...Event ID 682 indicates when a connection to a previously disconnected session has occurred." Hope that helps, H. Carvey "Windows Forensics and Incident Recovery" http://www.windows-ir.com
Current thread:
- XP RDP event log 682 ? BillyBob (Dec 12)
- <Possible follow-ups>
- Re: XP RDP event log 682 ? H Carvey (Dec 14)