From: H Carvey (keydet89@yahoo.com)
Date: Tue Dec 14 2004 - 14:28:14 EST
Bill,
>I have a few event log 682's (user has reconnected to a disconnected TS
>session) on an XP machine at work that shows:
>Session Name: Console
>Client Name: Unknown
>Client Address: Unknown
>
>All other event log 682's show Session Name: RDP-Tcp# and they also
>display the Client Name and Address.
>
>Does this mean that these Unknown ones connected via Console were
>connections made by someone who hacked the password and used a stealthed OS
>?
Perhaps not (what's a "stealthed OS"???)
A quick search on EventID.net reveals:
http://www.eventid.net/display.asp?eventid=682&eventno=1802&source=Security&phase=1
On TechNet:
http://www.microsoft.com/technet/security/guidance/secmod144.mspx
Scroll down to "Logon Events".
See also: "...Event ID 682 indicates when a connection to a previously disconnected session has occurred."
Hope that helps,
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:10 EDT