Automatically generated based on tag:

ETW - Devices and USB activity Page For devices and USB activity.

Various events are generated for devices and USB activity, split across a number of channels. More events and information are available on recent versions of the Windows operating system.

Using known variables about a given device, found for example in the Windows registry, events can be used to determine timestamps of activity for the device, such as when the device was first plugged, last plugged and unplugged.

Additionally, supplementary information about devices can be retrieved from events, such as device storage sizes and an extract of their partition table.

Events: 507, 500, 502, 503, 504, 505, 506, 510.

Microsoft-Windows-Kernel-PnP/Device Configuration.
Events: 400, 401, 410, 411, 420, 430.

Microsoft-Windows-Kernel-PnP/Device Management.
Event: 1010.

Event: 1006.

Events: 142, 4, 9, 10, 300, 303.

ETW - System uptime Page System boot and shutdown events, to determine the time ranges that the system was turned on.

Main events:

Event 1074: "The process <PROCESS_EXE> has initiated the xxx of computer <HOSTNAME> on behalf of user <USERNAME> for the following reason: <SHUTDOWN_REASON_TEXT>".

Event 12: "The operating system started at system time <TIME>".

Event 13: "The operating system is shutting down at system time <TIME>".

Event 41: "The system has rebooted without cleanly shutting down first".
File: System.evtx.


Events: 1074.

Events: 12, 13.

Events: 41, 42, 109.

Events: 1.

Events: 6013, 6005, 6006.
ETW - Users and security groups operations Page For user accounts and security groups operations, such as a user object creation or modification, and a security group membership update.

Main events:

Channel: Security.
Event ID 4720: "A user account was created".
Event ID 4724: "An attempt was made to reset an accounts password".
Event ID 4738: "A user account was changed".
Event ID 4732: "A member was added to a security-enabled local group".
Channel: Security.
Events: 4720, 4722, 4723, 4724, 4731, 4732, 4733, 4738.
ETW - Windows Firewall Page Windows Firewall activity, such as configuration changes and rules creation, modification, or deletion.

Main events:

Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall.
Event ID 2003: "A Windows Defender Firewall setting in the <Domain | Private | Public> profile has changed".
Events 2004, 2071, and 2097 (depending on the Windows operating system version): "A rule has been added to the Windows Defender Firewall exception list".
Events 2005 and 2099 (depending on the Windows operating system version): "A rule has been modified in the Windows Defender Firewall exception list".
Channel: Microsoft-Windows-Windows Firewall With Advanced Security/Firewall.
Events: 2002, 2003, 2004, 2005, 2006, 2033, 2052, 2071, 2097, 2099.

Channel: Security (events not enabled by default).
Events: 4946, 4947, 4948, 4950.
Registry - Devices and USB activity Page The registry hold numerous information on currently and previously plugged devices, such as USB devices. The information is stored across a number of registry keys.

Given a known variable about a device as input (such as the device serial number for example), other identifiers can be retrieved from the registry: serial number, vendor ID, product ID, device id (vendor and product names), instance ID, device interface class, associated volume friendly name and volume letter, etc.

The first and last plugged-in timestamps, and last unplugged timestamp (for Windows 7 / 8 and later) of a device are also stored in the registry (Enum\USB and Enum\USBSTOR registry keys).



HKLM\SYSTEM - MountedDevices

HKLM\SYSTEM - DeviceClasses

HKLM\SOFTWARE - Windows Portable Devices

HKLM\SOFTWARE - VolumeInfoCache


HKCU\SOFTWARE - MountPoints2
Registry - Map Network Drive MRU Page The Map Network Drive MRU registry key references the recently used network shares.

Information of interest: UNC path of the network shares (such as "<IP | HOSTNAME>\<SHARE_NAME>").

Values are ordered in a most recently used list. The timestamp of access of the most recently access share can thus be deduced from the last write timestamp of the registry key.

Registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
Registry - MountPoints2 Page The MountPoints2 registry key references the currently or previously mapped drives (such as the system drive, USB devices, or network shares) mounted by the associated user.

Information of interest: each drive is represented by a subkey, which is named as either the volume GUID, a letter, or, for network shares "##<IP | HOSTNAME>#<SHARE_NAME>".

Registry key:
Registry - System Information Page Various information about the local system as stored in the registry: computer hostname and domain, local users, network interfaces, system timezone, exposed network shares, firewall status and rules, SID of users that have interactively logged-in, installed applications, etc. HKLM\SYSTEM - ComputerName

HKLM\SOFTWARE - CurrentVersion



HKLM\SAM - Users

HKLM\SYSTEM - TimeZoneInformation


HKLM\SYSTEM - Interfaces

HKLM\SYSTEM - NetworkList

HKLM\SYSTEM - LanmanServer\Shares

HKLM\SYSTEM - FirewallPolicy


Windows devices terminology Page The Windows operating system uses a number of "device identification strings" and "device instance identification strings" to identify devices that are plugged / installed on a computer, and their instances.

The following identification strings are defined: vendor ID, product ID, device ID, hardware ID, instance ID, device instance ID, and container ID.

These various identifiers can be used to uniquely identify USB drives plugged into a computer, and are referenced in various registry keys, ETW events, and log files.

View on GitHub