Re: XP RDP event log 682 ?

From: H Carvey (keydet89@yahoo.com)
Date: Tue Dec 14 2004 - 14:28:14 EST

• Next message: Chris Benedict: "delving deeper"
• Previous message: Dan Connelly: "Re: Password Audit tools"
• Maybe in reply to: BillyBob: "XP RDP event log 682 ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Bill,

>I have a few event log 682's (user has reconnected to a disconnected TS
>session) on an XP machine at work that shows:
>Session Name: Console
>Client Name: Unknown
>Client Address: Unknown
>
>All other event log 682's show Session Name: RDP-Tcp# and they also
>display the Client Name and Address.
>
>Does this mean that these Unknown ones connected via Console were
>connections made by someone who hacked the password and used a stealthed OS
>?

Perhaps not (what's a "stealthed OS"???)

A quick search on EventID.net reveals:
http://www.eventid.net/display.asp?eventid=682&eventno=1802&source=Security&phase=1

On TechNet:
http://www.microsoft.com/technet/security/guidance/secmod144.mspx

Scroll down to "Logon Events".

See also: "...Event ID 682 indicates when a connection to a previously disconnected session has occurred."

Hope that helps,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com

• Next message: Chris Benedict: "delving deeper"
• Previous message: Dan Connelly: "Re: Password Audit tools"
• Maybe in reply to: BillyBob: "XP RDP event log 682 ?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT