Penetration Testing mailing list archives

Re: XP RDP event log 682 ?

From: H Carvey <keydet89 () yahoo com>
Date: 14 Dec 2004 19:28:14 -0000

In-Reply-To: <BAY24-DAV3EF0369DD0B58FF913A23DAAA0 () phx gbl>

Bill,

I have a few event log 682's (user has reconnected to a disconnected TS
session) on an XP machine at work that shows:
Session Name:    Console
Client Name:    Unknown
Client Address:    Unknown

All other event log 682's show Session Name:    RDP-Tcp# and they also
display the Client Name and Address.

Does this mean that these Unknown ones connected via Console were
connections made by someone who hacked the password and used a stealthed OS
?


Perhaps not (what's a "stealthed OS"???)

A quick search on EventID.net reveals:
http://www.eventid.net/display.asp?eventid=682&eventno=1802&source=Security&phase=1

On TechNet:
http://www.microsoft.com/technet/security/guidance/secmod144.mspx

Scroll down to "Logon Events".

See also: "...Event ID 682 indicates when a connection to a previously disconnected session has occurred."

Hope that helps,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com

Current thread:

XP RDP event log 682 ? BillyBob (Dec 12)
- <Possible follow-ups>
- Re: XP RDP event log 682 ? H Carvey (Dec 14)