This post is about entries created when devices (USB or other) are connected to a Windows 8 system.
![]()
Windows 8 has added many new Logs and Sources to its core Event Logging system. Entries for device connections (insertions) are seen in at least 5 logs: 1. Microsoft Windows Kernel Pnp Device Configuration Package Driver Package WhichDriverFrameworks-UserMode (Event 10000) - A driver package which uses user-mode driver framework version 2.0.0 is being installed on device SWDWPDBUSENUMUSBSTORDISKVENKINGSTONPRODDATATRAVELERG3REVPMAP000FEAFB7959BC7067D40086053F56307-B6BF-11D0-94F2-00A0C91EFB8B. UserPnp (Event 20001) - Driver Management concluded the process to install driver wpdfs.infx86d67a8256c1147128wpdfs.inf for Device Instance ID SWDWPDBUSENUMUSBSTORDISKVENKINGSTONPRODDATATRAVELERG3REVPMAP000FEAFB7959BC7067D40086053F56307-B6BF-11D0-94F2-00A0C91EFB8B with the following status: 0x0. Microsoft-Windows-DeviceSetupManagerAdmin. Chad notes that this entry is only seen if Audit Removable Storage auditing is configured within the Object. Microsoft Windows Kernel Pnp Device Configuration Package Windows 8.1 System OverThe comments on occurrence are based on my limited experimentationresearch with a Windows 8.1 system over the last few days. Please let me if you are seeing any other activity or behavior or log entries. Microsoft pledged to do a better job of logging removable device usage, but has sadly fallen short (so far). If Audit Removable Storage auditing is configured within the Object Access category of the Advanced Audit Policy Configuration, you should see a Security Event ID 4663 logged each time a removable device is introduced to the system. However, similar to Event ID 98 in the System log, the information provided by this event is not sufficient. While it alerts that a device was plugged in, it does not (yet) record the device serial number, GUID, or any other information that can be used to tie back to a specific device. Reply Delete Replies Yogesh Khatri November 29, 2013 at 1:04 AM Chad, thats great information. Carvey November 24, 2013 at 9:02 AM Definitely more Windows Event Log entries than Windows 7. I had addressed a number of these (for Windows 7) in the Device Events sidebar on pg 118 of WFAT 3e, but the list youve provided is a bit more inclusive. Reply Delete Replies Reply Luigi Ranzato December 20, 2014 at 2:30 PM This comment has been removed by the author. Reply Delete Replies Reply justin July 15, 2018 at 6:58 AM Major thanks for the post. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |