Channels:

Microsoft-Windows-Storage-ClassPnP/Operational.
Events: 507, 500, 502, 503, 504, 505, 506, 510.

Microsoft-Windows-Kernel-PnP/Device Configuration.
Events: 400, 401, 410, 411, 420, 430.

Microsoft-Windows-Kernel-PnP/Device Management.
Event: 1010.

Microsoft-Windows-Partition/Diagnostic.
Event: 1006.

Microsoft-Windows-Ntfs/Operational.
Events: 142, 4, 9, 10, 300, 303.

Overview

The Windows Event Tracing generate various events on devices and USB activity. The events are split across a number of channels, with more events and information available on recent versions of the Windows operating system.

Using known variables about a given device, found for example in the Windows registry, Event Tracing events can be used to determine timestamps of activity for the device, such as when the device was first plugged, last plugged and unplugged. Additionally, supplementary information about devices can be retrieved from events, such as device storage sizes and an extract of their partition table.

The terminology and more details on the various identifiers are available in the Windows devices terminology page.

Microsoft-Windows-Storage-ClassPnP/Operational

Channel Conditions Events
Provider: Microsoft-Windows-StorDiag.

Channel: Microsoft-Windows-Storage-ClassPnP/Operational.
Default configuration. Event 507: error events.

Generated multiple times, for every connection, sometimes safe removal, and while the device is plugged-in. As the event is generated upon errors, it may however not be reliably logged.

Information of interest:
- Device’s vendor and product names.
- Device serial number (which is however not the same as the one found in the registry and often shows up as AA00000000000489 for different USB storage devices).
- Device number, which is an incremental number based on the number of devices plugged-in, for all devices, including the system drive (which would likely be device number 1).
- Device’s DeviceGUID which can be used for correlation with other events.

Other events, also generated upon errors and with similar information: 500, 502, 503, 504, 505, 506, and 510.

Microsoft-Windows-Kernel-PnP/Device Configuration

Channel Conditions Events
Provider: Microsoft-Windows-Kernel-PnP.

Microsoft-Windows-Kernel-PnP/Device Configuration.
Default configuration. The Microsoft-Windows-Kernel-PnP/Device Configuration channel contains information for all plug and play devices, not limited to USB storage devices.

Event 400: Device <DEVICE> was configured.
Event 401: Device <DEVICE> failed configuration.
Event 410: Device <DEVICE> was started.
Event 411: Device <DEVICE> had a problem starting.
Event 430: Device <DEVICE> requires further installation.
The aforementioned events appear to be generated when a device is first plugged-in to the system.

Event 420: Device <DEVICE> was deleted.
The <DEVICE> string is based on the event DeviceInstanceId field, which contains the device’s vendor ID (VID), product ID (PID) and (registry) serial number or location information.

Microsoft-Windows-Kernel-PnP/Device Management

Channel Conditions Events
Provider: Microsoft-Windows-Kernel-PnP.

Channel: Microsoft-Windows-Kernel-PnP/Device Management.
Introduced in Windows 11. The Microsoft-Windows-Kernel-PnP/Device Management channel contains information for all plug and play devices, not limited to USB storage devices.

Event 1010: Device <DEVICE> has been surprise removed as it is reported as missing on the bus.

The event is reliably generated when a device is removed / unplugged without prior ejection. Additionally, subsequent immediate event(s) are generated for each removal of the device volume.

Relevant information:
- For USB storage device: vendor ID (VID), product ID (PID), (registry) serial number or location information. Example: USB\VID_18A5&PID_0302\1601000001586259.
- For volumes: the volume GUID of the volume. Example: STORAGE\Volume\<GUID>.

Microsoft-Windows-Partition/Diagnostic

Channel Conditions Events
Provider: Microsoft-Windows-Partition.

Channel: Microsoft-Windows-Partition/Diagnostic.
Default configuration. Event 1006.

The event is generated when a device is plugged and unplugged with or without prior ejection.

This event contains key relevant information, and notably information that are not available in other sources:

- Vendor and product names of the device.

- vendor ID (VID), product ID (PID), and (registry) serial number or location of the device (in the ParentId field).

- A volume id for one of the device volume in the RegistryId field.

- (A version of) the device serial number (!= registry serial number).

- The DeviceGUID of the device in the DiskId, for correlation with other events.

- The size in bytes of the device in the Capacity field. The capacity is set to 0 if the event match a removal.

- Raw dumps of the partition table (field PartitionTable), Master Boot Record (MBR) (field Mbr), and / or Volume Boot Record (VBR) (field VbrX) if available. The VBR dump can be used to reconstruct the Volume Serial Number of the device.

Microsoft-Windows-Ntfs/Operational

Channel Conditions Events
Provider: Microsoft-Windows-Ntfs.

Microsoft-Windows-Ntfs/Operational.
Only generated for devices that have a NTFS volume. Event 142: Summary of disk space usage, since last event.

This event is generated with a limited delay following the plugin of the device, one occurrence for each volume of the device.

Relevant information:
- The volume friendly name and associated drive letter.
- A volume id for one of the device volume.
Provider: Microsoft-Windows-Ntfs.

Microsoft-Windows-Ntfs/Operational.
Introduced in Windows 10 / Windows Server 2016 (Build 14393), with more fields logged (including information on the underlying device) starting with Windows 11 / Windows Server 2022 (Build 22000).

Only generated for devices that have a NTFS volume.
Event 4: The NTFS volume has been successfully mounted.

Event 9: NTFS scanned entire volume bitmap.

Event 10: NTFS cached run statistics.

Event 300: The NTFS volume dismount has started.

Event 303: The NTFS volume has been successfully dismounted.

These events are reliably generated when a device is plugged and unplugged with or without prior ejection.

Relevant information:
- The volume friendly name and associated drive letter.
- Vendor and product names of the device.
- (A version of) the device serial number (!= registry serial number).
- DeviceGuid (for correlation with other events).
- Whether the drive was ejected (“Reason: Explicit lock”) or directly unplugged (“Reason: Surprise removal”).

References



View on GitHub