Friday, 22 November 2013

Event Log entries for Devices in Windows 8

This post is about entries created when devices (USB or other) are connected to a Windows 8 system. This post does not talk about Windows Event log basics, its format or parsers or where you can find them on a system. I assume you are here because you already know about that and simply want to know about USB artifacts in event logs on Windows 8.

Windows 8 has added many new Logs and Sources to its core Event Logging system. Entries for device connections (insertions) are seen in at least 5 logs:

1. SYSTEM

Source Event IDs When it Occurs?
Ntfs 98, ?? Every time a storage device containing an NTFS volume is connected
DriverFrameworks-UserMode 10000 Device first connect only
UserPnp 20001, 20003 Device first connect only

Description snippets:
Ntfs (Event 98) - Volume E: (\Device\HarddiskVolume4) is healthy. No action is needed.

DriverFrameworks-UserMode (Event 10000) - A driver package which uses user-mode driver framework version 2.0.0 is being installed on device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_PMAP#000FEAFB7959BC7067D40086&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}.

UserPnp (Event 20001) - Driver Management concluded the process to install driver wpdfs.inf_x86_d67a8256c1147128\wpdfs.inf for Device Instance ID SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_PMAP#000FEAFB7959BC7067D40086&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} with the following status: 0x0
.

2. Microsoft-Windows-DeviceSetupManager/Admin

Source Event IDs When it Occurs?
DeviceSetupManager 112 Device first connect only or when connected to a different port

Description snippet:
DeviceSetupManager (Event 112) - Device 'HASP HL 3.25' ({95abe994-529a-11e3-971d-806e6f6e6963}) has been serviced, processed 5 tasks, wrote 42 properties, active worktime was 136063 milliseconds.

3. Microsoft-Windows-DeviceSetupManager/Operational

SourceEvent IDsWhen it Occurs?
DeviceSetupManager300, 301Device first connect only or when connected to a different port

Description snippet:
DeviceSetupManager (Event 300) - The device container '{D7FD8C4F-2F70-A826-D5FA-20A112B90D4E}' has entered the ready state

4. Microsoft-Windows-Kernel-PnP/Device Configuration

SourceEvent IDsWhen it Occurs?
Kernel-PnP400, 410, 420Device first connect only

Description snippet:
Kernel-PnP (Event 400)Device USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_PMAP\000FEAFB7959BC7067D40086&0 was configured.

5. Microsoft-Windows-Kernel-PnPConfig/Configuration

SourceEvent IDsWhen it Occurs?
Kernel-PnP1, 2, 3, 4Device first connect only or when connected to a different port

6. Security

SourceEvent IDsWhen it Occurs?
Microsoft-Windows-Security-Auditing4663Each time device is connected to system

Comment: Chad Tilbury alerted me to this one. Chad notes that this entry is only seen if “Audit Removable Storage” auditing is configured within the Object Access category of the Advanced Audit Policy Configuration.

The comments on occurrence are based on my limited experimentation/research with a Windows 8.1 system over the last few days. Please let me if you are seeing any other activity or behavior or log entries.

4 comments:

  1. I have also been researching USB logging in Windows 8. Microsoft pledged to do a better job of logging removable device usage, but has sadly fallen short (so far). If “Audit Removable Storage” auditing is configured within the Object Access category of the Advanced Audit Policy Configuration, you should see a Security Event ID 4663 logged each time a removable device is introduced to the system. However, similar to Event ID 98 in the System log, the information provided by this event is not sufficient. While it alerts that a device was plugged in, it does not (yet) record the device serial number, GUID, or any other information that can be used to tie back to a specific device.

    ReplyDelete
    Replies
    1. Chad, thats great information. I will add it to the list above.

      Delete
  2. Definitely more Windows Event Log entries than Windows 7. I had addressed a number of these (for Windows 7) in the "Device Events" sidebar on pg 118 of
    WFAT 3/e, but the list you've provided is a bit more inclusive. Thanks for sharing this.

    ReplyDelete
  3. This comment has been removed by the author.

    ReplyDelete