Channels:
Microsoft-Windows-Storage-ClassPnP/Operational.
Events: 507, 500, 502, 503, 504, 505, 506, 510.
Microsoft-Windows-Kernel-PnP/Device Configuration.
Events: 400, 401, 410, 411, 420, 430.
Microsoft-Windows-Kernel-PnP/Device Management.
Event: 1010.
Microsoft-Windows-Partition/Diagnostic.
Event: 1006.
Microsoft-Windows-Ntfs/Operational.
Events: 142, 4, 9, 10, 300, 303.
Microsoft-Windows-Storage-ClassPnP/Operational.
Events: 507, 500, 502, 503, 504, 505, 506, 510.
Microsoft-Windows-Kernel-PnP/Device Configuration.
Events: 400, 401, 410, 411, 420, 430.
Microsoft-Windows-Kernel-PnP/Device Management.
Event: 1010.
Microsoft-Windows-Partition/Diagnostic.
Event: 1006.
Microsoft-Windows-Ntfs/Operational.
Events: 142, 4, 9, 10, 300, 303.
Overview
The Windows Event Tracing generate various events on devices and USB
activity. The events are split across a number of channels, with more events
and information available on recent versions of the Windows operating system.
Using known variables about a given device, found for example in the
Windows registry, Event Tracing events can be
used to determine timestamps of activity for the device, such as when the
device was first plugged, last plugged and unplugged. Additionally,
supplementary information about devices can be retrieved from events, such as
device storage sizes and an extract of their partition table.
The terminology and more details on the various identifiers are available in the Windows devices terminology page.
Microsoft-Windows-Storage-ClassPnP/Operational
Events from the
- Determine when a device was plugged using the device vendor and product names or
- Retrieve (a version of) the device
- Identify the device
Microsoft-Windows-Storage-ClassPnP/Operational channel (event 507 in particular) can be used to: - Determine when a device was plugged using the device vendor and product names or
serial number. - Retrieve (a version of) the device
serial number (!= registry serial number) and its vendor and product names. - Identify the device
DeviceGUID for correlation with other events.| Channel | Conditions | Events |
|---|---|---|
Provider: Microsoft-Windows-StorDiag. Channel: Microsoft-Windows-Storage-ClassPnP/Operational. |
Default configuration. | Event 507: error events. Generated multiple times, for every connection, sometimes safe removal, and while the device is plugged-in. As the event is generated upon errors, it may however not be reliably logged. Information of interest: - Device’s vendor and product names. - Device serial number (which is however not the same as the one found in the registry and often shows up as AA00000000000489 for different USB storage devices). - Device number, which is an incremental number based on the number of devices plugged-in, for all devices, including the system drive (which would likely be device number 1). - Device’s DeviceGUID which can be used for correlation with other events. Other events, also generated upon errors and with similar information: 500, 502, 503, 504, 505, 506, and 510. |
Microsoft-Windows-Kernel-PnP/Device Configuration
Events from the
- Determine when a device was first plugged.
- Identify the
Microsoft-Windows-Kernel-PnP/Device Configuration channel can be used to: - Determine when a device was first plugged.
- Identify the
vendor ID (VID) and product ID (PID) of the device from its serial number or location information (and vice versa).| Channel | Conditions | Events |
|---|---|---|
Provider: Microsoft-Windows-Kernel-PnP. Microsoft-Windows-Kernel-PnP/Device Configuration. |
Default configuration. | The Microsoft-Windows-Kernel-PnP/Device Configuration channel contains information for all plug and play devices, not limited to USB storage devices. Event 400: Device <DEVICE> was configured. Event 401: Device <DEVICE> failed configuration. Event 410: Device <DEVICE> was started. Event 411: Device <DEVICE> had a problem starting. Event 430: Device <DEVICE> requires further installation. The aforementioned events appear to be generated when a device is first plugged-in to the system. Event 420: Device <DEVICE> was deleted. The <DEVICE> string is based on the event DeviceInstanceId field, which contains the device’s vendor ID (VID), product ID (PID) and (registry) serial number or location information. |
Microsoft-Windows-Kernel-PnP/Device Management
Introduced in Windows 11, the event
- Determine when a device was unplugged with out prior ejection, from the device (registry)
- Identify the
- Identify the
1010 of the Microsoft-Windows-Kernel-PnP/Device Management channel can used, if a device has been removed without prior ejection, to: - Determine when a device was unplugged with out prior ejection, from the device (registry)
serial number or location information. - Identify the
vendor ID (VID) and product ID (PID) of the device from its serial number or location information (and vice versa). - Identify the
volumes GUID associated with the device.| Channel | Conditions | Events |
|---|---|---|
Provider: Microsoft-Windows-Kernel-PnP. Channel: Microsoft-Windows-Kernel-PnP/Device Management. |
Introduced in Windows 11. | The Microsoft-Windows-Kernel-PnP/Device Management channel contains information for all plug and play devices, not limited to USB storage devices. Event 1010: Device <DEVICE> has been surprise removed as it is reported as missing on the bus. The event is reliably generated when a device is removed / unplugged without prior ejection. Additionally, subsequent immediate event(s) are generated for each of the device volume. Relevant information: - For USB storage device: vendor ID (VID), product ID (PID), (registry) serial number or location information. Example: USB\VID_18A5&PID_0302\1601000001586259. - For volumes: the volume GUID of the volume. Example: STORAGE\Volume\<GUID>. |
Microsoft-Windows-Partition/Diagnostic
The event
- Determine when a drive was plugged / unplugged.
- Identify the
- Identify the
- Identify the device
- Retrieve the Size in bytes of the device.
- Retrieve a raw dump of the partition table of the device.
1006 of the Microsoft-Windows-Partition/Diagnostic can be used to: - Determine when a drive was plugged / unplugged.
- Identify the
vendor ID (VID) and product ID (PID) of the device from its serial number, either in the registry-like format or of device itself (and vice versa). - Identify the
volume id for one of the device volume. - Identify the device
DeviceGUID for correlation with other events. - Retrieve the Size in bytes of the device.
- Retrieve a raw dump of the partition table of the device.
| Channel | Conditions | Events |
|---|---|---|
Provider: Microsoft-Windows-Partition. Channel: Microsoft-Windows-Partition/Diagnostic. |
Default configuration. | Event 1006. The event is generated when a device is plugged and unplugged with or without prior ejection. This event contains key relevant information, and notably information that are not available in other sources: - Vendor and product names of the device. - vendor ID (VID), product ID (PID), and (registry) serial number or location of the device (in the ParentId field). - A volume id for one of the device volume in the RegistryId field. - (A version of) the device serial number (!= registry serial number). - The DeviceGUID of the device in the DiskId, for correlation with other events. - The size in bytes of the device in the Capacity field. The capacity is set to 0 if the event match a removal. - Raw dumps of the partition table (field PartitionTable), Master Boot Record (MBR) (field Mbr), and / or Volume Boot Record (VBR) (field VbrX) if available. The VBR dump can be used to reconstruct the Volume Serial Number of the device. |
Microsoft-Windows-Ntfs/Operational
For devices that have a
- Determine the volume friendly name(s) and drive letter(s) associated with a device, either using the
Introduced in
- Determine when a device was plugged / unplugged (and if it was with or without prior ejection) and its associated volumes mounted / dismounted.
- Identify the volume friendly name(s) and drive letter(s) associated with a device.
NTFS volume, the event 142 of the Microsoft-Windows-Ntfs/Operational channel can be used to: - Determine the volume friendly name(s) and drive letter(s) associated with a device, either using the
volume GUIDs of the volumes on the device or time correlation with other events. Introduced in
Windows 11, new events in the Microsoft-Windows-Ntfs/Operational channel can be used to: - Determine when a device was plugged / unplugged (and if it was with or without prior ejection) and its associated volumes mounted / dismounted.
- Identify the volume friendly name(s) and drive letter(s) associated with a device.
| Channel | Conditions | Events |
|---|---|---|
Provider: Microsoft-Windows-Ntfs. Microsoft-Windows-Ntfs/Operational. |
Only generated for devices that have a NTFS volume. |
Event 142: Summary of disk space usage, since last event. This event is generated with a limited delay following the plugin of the device, one occurrence for each volume of the device. Relevant information: - The volume friendly name and associated drive letter. - A volume id for one of the device volume. |
Provider: Microsoft-Windows-Ntfs. Microsoft-Windows-Ntfs/Operational. |
Introduced in Windows 11. Only generated for devices that have a NTFS volume. |
Event 4: The NTFS volume has been successfully mounted. Event 9: NTFS scanned entire volume bitmap. Event 10: NTFS cached run statistics. Event 300: The NTFS volume dismount has started. Event 303: The NTFS volume has been successfully dismounted. These events are reliably generated when a device is plugged and unplugged with or without prior ejection. Relevant information: - The volume friendly name and associated drive letter. - Vendor and product names of the device. - (A version of) the device serial number (!= registry serial number). - DeviceGuid (for correlation with other events). - Whether the drive was ejected (“Reason: Explicit lock”) or directly unplugged (“Reason: Surprise removal”). |
References
View on GitHub