NXLog Legacy Documentation

Windows USB auditing

Portable devices provide the user easy access to company related data in a corporate environment. As the usage of USB devices increase, so do the risks associated with them.

This section discusses the possibilities of collecting USB related log events in a Microsoft Windows environment using NXLog.

There are four ways USB activity logs can be tracked down.

  • From Windows Event Log

  • Tracing them using ETW

  • Monitoring them in Windows Registry

  • Looking at the file system

USB logs in Windows Event Log

Microsoft Windows logs USB related events into Windows Event Log. They are logged under the System and Security channels as well as in various places under the Applications and Services Logs\Microsoft\Windows path in Event Viewer.

Events from the System Channel

These events are only generated once, during the driver installation phase, when the external device is connected for the first time.

The logging of these events are enabled by default.
Source Trigger Condition Event ID

DriverFramework-Usermode

First connection

10000

UserPNP

Installed or updated

20001

WPD-ClassInstaller

Successful Installation

24576

Events from the Security Channel

These events are generated when some kind of USB activity is observed by the Operating System.

The logging of these events are not enabled by default.

Plug and Play events

They are generated every time when a device is plugged in. Tracking these USB related events are useful for Audit purposes.

Object Access Audit Events

They can be used to monitor object manipulation, such as creation, deletion as well as other changes. This can be useful for monitoring for possible data leaks.

These two events can be turned on in the Local Security Policy or by the auditpol tool with the command below in Windows PowerShell.

auditpol /set /subcategory:"Plug and Play Events","Removable
Storage","Handle Manipulation" /success:enable /failure:enable

The following command could be used to check the status of subcategories if necessary.

auditpol /get /subcategory:"Plug and Play Events","Removable
Storage","Handle Manipulation"
Source Trigger Condition Event ID

Plug and Play (detailed tracking)

Device connection

6416

Object Access Audit

Handle request

4656

Object Access Audit

Attampt to access an object

4663

Event 4663 is the most useful. It is the event that tells what exactly happened on the object. What has been accessed, what process did it and what kind of operation it was.

Events from Applications and Services Logs\Microsoft\Windows

There are some useful USB related logs located under the Applications and Services Logs\Microsoft\Windows path in Windows Event Viewer, these sources listed below. The sources contain different information about different aspects of the subject.

Source Trigger Condition Event ID

Partition Diagnostic

Connection and ejection.

1006

NTFS

Connection

142

StorSVC Diagnostic

Connection

1001

DriverFrameworks-UserMode (not enabled by default)

Connection

1003, 1004, 2000, 2001, 2003, 2004, 2005, 2006, 2010, 2100, 2101, 2105, 2016

Ejection

1006, 1008, 2100, 2101, 2102, 2105, 2106, 2900, 2901

Kernel-PnP

First connection

400, 410, 430

DeviceSetupManager-Admin

First Connection

112

The group of events created in Microsoft-Windows-DriverFrameworks-UserMode are correlate to each other based on their LifetimeIds. They will be the same for the corresponding events.
Enabling Microsoft-Windows-DriverFrameworks-UserMode Logging

Enabling on a local computer:

In Event Viewer (eventvwr) under Applications and Services LogsMicrosoftWindowsDriverFrameworks-UserMode\Operational, right-click on Operational and select Enable Log.

Enabling on multiple computers in an Active Directory Domain environment using wevtutil:

  1. Enable a Remote Administration exception on the firewall of the client computers via a GPO. The following needs to be enabled. [Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow inbound remote administration exception]

  2. Prepare a text file for the client computer names. For example, c:\computers.txt.

  3. Run the following command with Domain Administrator’s privilege.

for /F %i in (c:\computers.txt) do wevtutil sl Microsoft-Windows-DriverFrameworks-UserMode/Operational /e:true /r:%i

The following PowerShell command checks the status of logging:

Get-WinEvent -ListLog Microsoft-Windows-DriverFrameworks-UserMode/Operational | Format-List IsEnabled
Example 1. Collecting USB logs from Windows Event Log

This configuration uses the im_msvistalog module to collect USB events. EventIDs that are useful from the audit perspective are listed in the configuration define lines.

nxlog.conf
<Extension _xml>
    Module     xm_xml
</Extension>

# StorSvc Diagnostic
define ID1     1001
# PnP detailed tracking
define ID2     6416
# Partition Diagnostic
define ID3     1006
# NTFS
define ID4     142
# DriverFw preconnection
define ID5     1003
# DriverFw connection-related 
define ID6     2003
# DriverFw removal-related 
define ID7     1008
# System: DriverFramework-Usermode 
define ID8     10000
# System: UserPNP
define ID9     20001
#Object Access Audit
define ID10     4656

<Input in>
    Module im_msvistalog
    # For Windows 2003 and earlier, use the im_mseventlog module.
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Security">
            <Select Path="Security">*</Select>
            <Select Path="System">*</Select>
            <Select \
            Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">* \
            </Select>
            <Select Path="Microsoft-Windows-Ntfs/Operational">*</Select>
            <Select Path="Microsoft-Windows-Partition/Diagnostic">*</Select>
            <Select Path="Microsoft-Windows-Storsvc/Diagnostic">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
        if ($EventID NOT IN (%ID1%)) and
           ($EventID NOT IN (%ID2%)) and
           ($EventID NOT IN (%ID3%)) and
           ($EventID NOT IN (%ID4%)) and
           ($EventID NOT IN (%ID5%)) and
           ($EventID NOT IN (%ID6%)) and
           ($EventID NOT IN (%ID7%)) and
           ($EventID NOT IN (%ID8%)) and
           ($EventID NOT IN (%ID9%)) and
           ($EventID NOT IN (%ID10%)) drop();
        if $UserData parse_xml($UserData);
    </Exec>
</Input>
Output sample
{
  "EventTime": "2019-10-19T20:41:06.700337+02:00",
  "Hostname": "Host",
  "Keywords": "9223372036854775808",
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 1008,
  "SourceName": "Microsoft-Windows-DriverFrameworks-UserMode",
  "ProviderGuid": "{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}",
  "Version": 1,
  "TaskValue": 18,
  "OpcodeValue": 2,
  "RecordNumber": 42756,
  "ExecutionProcessID": 908,
  "ExecutionThreadID": 504,
  "Channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "Message": "The host process ({1208e11e-4339-4c06-86bb-7430fd254ee6}) has been shutdown.",
  "Category": "Shutdown of a driver host process.",
  "Opcode": "Stop",
  "UserData": "<UMDFDriverManagerHostShutdown xmlns='http://www.microsoft.com/DriverFrameworks/UserMode/Event'><LifetimeId>{1208e11e-4339-4c06-86bb-7430fd254ee6}</LifetimeId><TerminateStatus>0</TerminateStatus><ExitCode>0</ExitCode></UMDFDriverManagerHostShutdown>",
  "EventReceivedTime": "2019-10-19T20:41:08.115696+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_msvistalog",
  "UMDFDriverManagerHostShutdown.LifetimeId": "{1208e11e-4339-4c06-86bb-7430fd254ee6}",
  "UMDFDriverManagerHostShutdown.TerminateStatus": "0",
  "UMDFDriverManagerHostShutdown.ExitCode": "0"
}

USB logs available via ETW

USB related events can be retrieved by using Event Tracing for Windows (ETW) providers. There are a numbers of providers can be used to gain information about USB related activity. The most notables are listed below.

Providers for USB2 events:

Provider Details

Microsoft-Windows-USB-USBHUB

Provides USB2 hub events

Microsoft-Windows-USB-USBPORT

Provides USB2 port events

Providers for USB3 events:

Provider Details

Microsoft-Windows-USB-USBHUB3

Provides USB3 hub events

Microsoft-Windows-USB-UCX

Provides USB UCX events

Microsoft-Windows-USB-USBXHCI

Provides USB XHCI events

Providers for Smart Card related USB events:

Provider Details

Microsoft-Windows-USB-CCID

Monitors Smart Card readers using USB to connect to the computer

Microsoft-Windows-Smartcard-Trigger

Triggers a log when inserting and removing a USB smart card reader

Example 2. Collecting USB logs from ETW

This configuration uses the im_etw module to collect logs when a USB Smart Card reader is inserted.

nxlog.conf
<Input etw>
    Module      im_etw
    Provider    Microsoft-Windows-Smartcard-Trigger
</Input>
Output sample
{
  "SourceName": "Microsoft-Windows-Smartcard-Trigger",
  "ProviderGuid": "{AEDD909F-41C6-401A-9E41-DFC33006AF5D}",
  "EventID": 1000,
  "Version": 0,
  "ChannelID": 0,
  "OpcodeValue": 0,
  "TaskValue": 0,
  "Keywords": "0",
  "EventTime": "2019-12-05T14:12:11.453805+01:00",
  "ExecutionProcessID": 13180,
  "ExecutionThreadID": 7608,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Domain": "NT AUTHORITY",
  "AccountName": "LOCAL SERVICE",
  "UserID": "S-1-5-19",
  "AccountType": "Well Known Group",
  "Flags": "EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)",
  "ScDeviceEnumGuid": "{5a236687-d307-44e2-9241-e1c6c27ceb28}",
  "EventReceivedTime": "2019-12-05T14:12:13.457624+01:00",
  "SourceModuleName": "etw",
  "SourceModuleType": "im_etw"
}

USB log events in Windows Registry

When a USB device is inserted or ejected to and from a Windows system, the Plug-and-Play(PnP) manager triggers a query for the device, then it stores the related information in the Windows Registry.

This information is stored in the registry keys under the following three registry paths.

  • "HKLM\SYSTEM\CurrentControlSet\Enum\USB\"

  • "HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\"

  • "HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\"

The first two stores information about the plugged in USB devices. The third on stores additional information as USB drives are recognized as disks and mounted as a drive volume in the system. For more information, see the USB Device Registry Entries documentation from Microsoft.

These USB log events could be correlated based on the serial numbers of the USB devices.

This configuration uses the im_regmon module to collect USB related events from the Windows Registry. It scans the registry every 60 second.

nxlog.conf
<Input in>
    Module          im_regmon
    RegValue        'HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\*'
    RegValue        'HKLM\SYSTEM\CurrentControlSet\Enum\USB\*'
    RegValue        'HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\*'
    Recursive       TRUE
    ScanInterval    60
</Input>
Output sample
{
  "EventTime": "2019-10-20T11:07:56.473658+02:00",
  "Hostname": "Host",
  "EventType": "CHANGE",
  "RegistryValueName": "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_\\60A44C413A8CF320B9110053&0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0066\\",
  "PrevValueSize": 8,
  "ValueSize": 8,
  "DigestName": "SHA1",
  "PrevDigest": "a477f34abec7da133ad5ff2dcf67b3b7e089d2d6",
  "Digest": "e47f5d5668fa31237f198a2e4cb9bc78003f3cc8",
  "Severity": "WARNING",
  "SeverityValue": 3,
  "EventReceivedTime": "2019-10-20T11:07:56.473658+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_regmon"
}

USB events logged into a file

In Windows Vista and later editions, the Plug and Play (PnP) manager and SetupAPI log events about device installation into the SetupAPI.dev.log file. The file contains a wealth of information about all installed devices including the ones that has been attached via USB to the system.

The file is located in the C:\Windows\INF directory. NXLog can read, parse and forward the logs contained in this file.

This configuration uses the im_file module to read the events from the SetupAPI.dev.log file.

nxlog.conf
<Input in>
    Module    im_file
    File      'C:\Windows\INF\SetupAPI.dev.log'
</Input>
Disclaimer

While we endeavor to keep the information in this topic up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

Last revision: 11 January 2020