Friday, 22 November 2013

Event Log entries for Devices in Windows 8

This post is about entries created when devices (USB or other) are connected to a Windows 8 system. This post does not talk about Windows Event log basics, its format or parsers or where you can find them on a system. I assume you are here because you already know about that and simply want to know about USB artifacts in event logs on Windows 8.

Windows 8 has added many new Logs and Sources to its core Event Logging system. Entries for device connections (insertions) are seen in at least 5 logs:

1. SYSTEM

Source Event IDs When it Occurs?
Ntfs 98, ?? Every time a storage device containing an NTFS volume is connected
DriverFrameworks-UserMode 10000 Device first connect only
UserPnp 20001, 20003 Device first connect only

Description snippets:
Ntfs (Event 98) - Volume E: (\Device\HarddiskVolume4) is healthy. No action is needed.

DriverFrameworks-UserMode (Event 10000) - A driver package which uses user-mode driver framework version 2.0.0 is being installed on device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_PMAP#000FEAFB7959BC7067D40086&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}.

UserPnp (Event 20001) - Driver Management concluded the process to install driver wpdfs.inf_x86_d67a8256c1147128\wpdfs.inf for Device Instance ID SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_G3&REV_PMAP#000FEAFB7959BC7067D40086&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} with the following status: 0x0
.

2. Microsoft-Windows-DeviceSetupManager/Admin

Source Event IDs When it Occurs?
DeviceSetupManager 112 Device first connect only or when connected to a different port

Description snippet:
DeviceSetupManager (Event 112) - Device 'HASP HL 3.25' ({95abe994-529a-11e3-971d-806e6f6e6963}) has been serviced, processed 5 tasks, wrote 42 properties, active worktime was 136063 milliseconds.

3. Microsoft-Windows-DeviceSetupManager/Operational

SourceEvent IDsWhen it Occurs?
DeviceSetupManager300, 301Device first connect only or when connected to a different port

Description snippet:
DeviceSetupManager (Event 300) - The device container '{D7FD8C4F-2F70-A826-D5FA-20A112B90D4E}' has entered the ready state

4. Microsoft-Windows-Kernel-PnP/Device Configuration

SourceEvent IDsWhen it Occurs?
Kernel-PnP400, 410, 420Device first connect only

Description snippet:
Kernel-PnP (Event 400)Device USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_PMAP\000FEAFB7959BC7067D40086&0 was configured.

5. Microsoft-Windows-Kernel-PnPConfig/Configuration

SourceEvent IDsWhen it Occurs?
Kernel-PnP1, 2, 3, 4Device first connect only or when connected to a different port

6. Security

SourceEvent IDsWhen it Occurs?
Microsoft-Windows-Security-Auditing4663Each time device is connected to system

Comment: Chad Tilbury alerted me to this one. Chad notes that this entry is only seen if “Audit Removable Storage” auditing is configured within the Object Access category of the Advanced Audit Policy Configuration.

The comments on occurrence are based on my limited experimentation/research with a Windows 8.1 system over the last few days. Please let me if you are seeing any other activity or behavior or log entries.

Wednesday, 20 November 2013

Windows 8 New Registry Artifacts Part 1 - New Device Timestamps

Tracking USB device insertion times has never been an easy task given that there is no direct timestamp saved by windows for this activity, ie, until Windows 8 arrived! This was a real pain in Windows Vista and 7 as dates and times were obtained from many different Registry keys’ Last Modified timestamps. And while this was reasonably reliable, timestamps thus retrieved always had to be taken with a pinch of salt!

All that changes with Windows 8. After a bit of experimentation, I have found that Windows 8 has added 3 new timestamps to the registry for Device Last Insertion Date, Device Last Removal Date and Firmware Date. This is located alongside other device properties in the SYSTEM hive under CurrentControlSet\Enum\DeviceType\DeviceID\InstanceID\{GUID}\Properties\xxxx 

Example: \CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_PMAP\000FEAFB9197BC7067D500C8&0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)

The picture below will make things clear.



All timestamps are in the standard windows 64 bit (FILETIME) format.

Windows 7 already had these three timestamps:

Name Property Path
Driver Assembly Date {a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002
Install Date {83da6326-97a6-4088-9453-a1923f573b29}\0064
First Install Date {83da6326-97a6-4088-9453-a1923f573b29}\0065

Edit for clarification: The property paths shown above are for Windows 8. In Windows 7, this would be under
"{GUID}\00xx\00000000\Data" instead of "{GUID}\00xx"

Comment- I have always seen Install Date and First Install Date to contain the same exact timestamp. My guess would be that it would only differ when a driver is re-installed or updated. Update- Harlan Carvey has discussed this issue and the above timestamps here.

Windows 8 adds 3 new timestamps:

Name Property Path
Last Arrival Date {83da6326-97a6-4088-9453-a1923f573b29}\0066
Last Removal Date {83da6326-97a6-4088-9453-a1923f573b29}\0067
Firmware Date {540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0011

After some research, I was able to verify these details by looking into the Windows SDK.  These properties have been defined in the include file ‘devpkey.h’. The last timestamp 'Firmware Date' has only been introduced in Windows 8.1 and I have not yet seen it in the registry. The term 'Last Arrival' is the one used by Microsoft, I will prefer calling it 'Last Insertion'.

With this new information, we will have accurate timestamps and not need to jump through hoops for determining Last Insertion (arrival) and Last Removal times. There are a few other changes in the windows 8 registry which will be in subsequent parts of this series of posts on Win 8 Registry.

That’s not all that changes when devices are inserted into a windows 8 machine. In the next article I will walk through all the windows event log changes. In case you are wondering, yes, there are plenty of events in the event logs for device setups/insertions/removals.