1. The "I Just Plugged In a USB" Log (Event ID 20001) (System Logs)
When you plug in a USB or any device, Windows often tries to install its drivers automatically. This action creates an "Event ID 20001" in the system logs.
What's in it?
When: The exact time the device was plugged in.
What: Device name, vendor info, and a serial number (if it has one).
Status: Tells you if the device was set up without any issues.
2. More About Your Devices (DriverFrameworks Log)
Windows 7 and up keep track of when devices connect and disconnect. This log, known as DriverFrameworks UserMode, is your go-to.
(Microsoft-Windows-DriverFrameworks-UserMode/Operational.log)
What it tells you:
Device connection and disconnection times.
3. Who Did What with Which USB (Event ID 4663)
Windows can also log what happens with files and folders on removable devices. This log, called Event ID 4663, is super handy.
Why it's cool:
It links user accounts with device actions, like copying a file.
What it logs: Record of BYOD (Bring Your Own Device) usage after auditing is configured.
4. Missed Attempts (Event ID 4656)
Ever had trouble accessing a USB? Windows might not let you in due to some security settings. Event ID 4656 can show these failed attempts.
What it shows:
Failed access to removable devices.
5. All About Plugging and Playing (Event ID 6416)
Within the Advanced Audit Policy Configuration, a new option can be added under "Detailed
Tracking". lf"Audit PNP Activity" is enabled (it is not on by default), the Security log will record an event every time a Plug and Play device is added to the system. While the audit policy allows for both success and failure auditing, only successful attempts are logged in practice.
Want a centralized log of all device additions? Event ID 6416 logs every time a device is plugged in.
Why it's good:
Detailed hardware info and it's all in one place.
6. BitLocker Logs (MBAM)
If your computer uses BitLocker for encryption, MBAM/Operational log can tell you when removable media gets mounted or dismounted.
Why it's handy:
Helps tie events to specific devices using volume GUIDs.
Tip:- "Audit Removable Storage" (EID 4663) and "Audit Plug and Play Activity" (EID 6416) enabled.
Both Event ID complement each other very well (And using both easily identified which user using timestamp)
So, What's the Scoop?
Windows logs are like a treasure trove for anyone curious about device activity. You can see when devices were plugged in, what was done with them, and even who did it.
Sure, it's not always straightforward. Sometimes you'll need to piece together info from different logs. But with a bit of patience, you'll get the full picture of your device's journey.
Update: Windows 11 and Beyond
With Windows 11, the logging game has gotten even better. Now, you can see even more detailed hardware information, making it easier to identify which device is which. So, if you're running Windows 11 or planning to, you're in for an even more detailed log-reading adventure!
Akash Patel
Comentários