Windows USB auditing

Portable devices provide the user easy access to company data in a corporate environment. As the usage of USB devices increases, so do the risks associated with them.

This section discusses the possibilities of collecting USB-related log events in a Microsoft Windows environment using NXLog Agent.

There are four ways USB activity logs can be tracked down.

  • From Windows Event Log

  • Tracing them using ETW

  • Monitoring them in Windows Registry

  • Looking at the file system

USB logs in Windows Event Log

Microsoft Windows logs USB-related events into Windows Event Log. They are logged under the System and Security channels as well as in various places under the Applications and Services Logs\Microsoft\Windows path in Event Viewer.

Events from the System Channel

These events are only generated once, during the driver installation phase, when the external device is connected for the first time.

The logging of these events is enabled by default.
Source Trigger Condition Event ID

DriverFramework-Usermode

First connection

10000

UserPNP

Installed or updated

20001

WPD-ClassInstaller

Successful Installation

24576

Events from the Security Channel

These events are generated when some kind of USB activity is observed by the Operating System.

The logging of these events is not enabled by default.

Plug and Play events

They are generated whenever a device is plugged in. Tracking these USB events is useful for auditing purposes.

Object Access Audit Events

They can be used to monitor object manipulation, such as creation, deletion as well as other changes. This can be useful for monitoring for possible data leaks.

These two events can be turned on in the Local Security Policy or by the auditpol tool with the command below in Windows PowerShell.

auditpol /set /subcategory:"Plug and Play Events","Removable
Storage","Handle Manipulation" /success:enable /failure:enable

The following command could be used to check the status of subcategories if necessary.

auditpol /get /subcategory:"Plug and Play Events","Removable
Storage","Handle Manipulation"
Source Trigger Condition Event ID

Plug and Play (detailed tracking)

Device connection

6416

Object Access Audit

Handle request

4656

Object Access Audit

Attampt to access an object

4663

Event 4663 is the most useful. This event logs the exact operation on the object and which process executed it.

Events from Applications and Services Logs\Microsoft\Windows

There are some useful USB logs located under the Applications and Services Logs\Microsoft\Windows path in Windows Event Viewer, these sources listed below. The sources contain different information about different aspects of the subject.

Source Trigger Condition Event ID

Partition Diagnostic

Connection and ejection.

1006

NTFS

Connection

142

StorSVC Diagnostic

Connection

1001

DriverFrameworks-UserMode (not enabled by default)

Connection

1003, 1004, 2000, 2001, 2003, 2004, 2005, 2006, 2010, 2100, 2101, 2105, 2016

Ejection

1006, 1008, 2100, 2101, 2102, 2105, 2106, 2900, 2901

Kernel-PnP

First connection

400, 410, 430

DeviceSetupManager-Admin

First Connection

112

The group of events created in Microsoft-Windows-DriverFrameworks-UserMode correlate to each other based on their LifetimeIds. They will be the same for the corresponding events.
Enabling Microsoft-Windows-DriverFrameworks-UserMode Logging

Enabling on a local computer:

In Event Viewer (eventvwr) under Applications and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode\Operational, right-click on Operational and select Enable Log.

Enabling on multiple computers in an Active Directory Domain environment using wevtutil:

  1. Enable a Remote Administration exception on the firewall of the client computers via a GPO. The following needs to be enabled. [Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow inbound remote administration exception]

  2. Prepare a text file for the client computer names. For example, c:\computers.txt.

  3. Run the following command with Domain Administrator’s privilege.

for /F %i in (c:\computers.txt) do wevtutil sl Microsoft-Windows-DriverFrameworks-UserMode/Operational /e:true /r:%i

The following PowerShell command checks the status of logging:

Get-WinEvent -ListLog Microsoft-Windows-DriverFrameworks-UserMode/Operational | Format-List IsEnabled
Example 1. Collecting USB logs from Windows Event Log

This configuration uses the im_msvistalog module to collect USB events. EventIDs that are useful from the audit perspective are listed in the configuration define lines.

nxlog.conf
<Extension _xml>
    Module     xm_xml
</Extension>

# StorSvc Diagnostic
define ID1     1001
# PnP detailed tracking
define ID2     6416
# Partition Diagnostic
define ID3     1006
# NTFS
define ID4     142
# DriverFw preconnection
define ID5     1003
# DriverFw connection-related 
define ID6     2003
# DriverFw removal-related 
define ID7     1008
# System: DriverFramework-Usermode 
define ID8     10000
# System: UserPNP
define ID9     20001
#Object Access Audit
define ID10     4656

<Input in>
    Module im_msvistalog
    # For Windows 2003 and earlier, use the im_mseventlog module.
    <QueryXML>
        <QueryList>
            <Query Id="0" Path="Security">
            <Select Path="Security">*</Select>
            <Select Path="System">*</Select>
            <Select \
            Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">* \
            </Select>
            <Select Path="Microsoft-Windows-Ntfs/Operational">*</Select>
            <Select Path="Microsoft-Windows-Partition/Diagnostic">*</Select>
            <Select Path="Microsoft-Windows-Storsvc/Diagnostic">*</Select>
            </Query>
        </QueryList>
    </QueryXML>
    <Exec>
        if ($EventID NOT IN (%ID1%)) and
           ($EventID NOT IN (%ID2%)) and
           ($EventID NOT IN (%ID3%)) and
           ($EventID NOT IN (%ID4%)) and
           ($EventID NOT IN (%ID5%)) and
           ($EventID NOT IN (%ID6%)) and
           ($EventID NOT IN (%ID7%)) and
           ($EventID NOT IN (%ID8%)) and
           ($EventID NOT IN (%ID9%)) and
           ($EventID NOT IN (%ID10%)) drop();
        if $UserData parse_xml($UserData);
    </Exec>
</Input>
Output sample
{
  "EventTime": "2019-10-19T20:41:06.700337+02:00",
  "Hostname": "Host",
  "Keywords": "9223372036854775808",
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "EventID": 1008,
  "SourceName": "Microsoft-Windows-DriverFrameworks-UserMode",
  "ProviderGuid": "{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}",
  "Version": 1,
  "TaskValue": 18,
  "OpcodeValue": 2,
  "RecordNumber": 42756,
  "ExecutionProcessID": 908,
  "ExecutionThreadID": 504,
  "Channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
  "Domain": "NT AUTHORITY",
  "AccountName": "SYSTEM",
  "UserID": "S-1-5-18",
  "AccountType": "User",
  "Message": "The host process ({1208e11e-4339-4c06-86bb-7430fd254ee6}) has been shutdown.",
  "Category": "Shutdown of a driver host process.",
  "Opcode": "Stop",
  "UserData": "<UMDFDriverManagerHostShutdown xmlns='http://www.microsoft.com/DriverFrameworks/UserMode/Event'><LifetimeId>{1208e11e-4339-4c06-86bb-7430fd254ee6}</LifetimeId><TerminateStatus>0</TerminateStatus><ExitCode>0</ExitCode></UMDFDriverManagerHostShutdown>",
  "EventReceivedTime": "2019-10-19T20:41:08.115696+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_msvistalog",
  "UMDFDriverManagerHostShutdown.LifetimeId": "{1208e11e-4339-4c06-86bb-7430fd254ee6}",
  "UMDFDriverManagerHostShutdown.TerminateStatus": "0",
  "UMDFDriverManagerHostShutdown.ExitCode": "0"
}

USB logs available via ETW

USB events can be retrieved by using Event Tracing for Windows (ETW) providers. There are several providers you can use to retrieve information about USB-related activity. The most notable ones are listed below.

Providers for USB2 events:

Provider Details

Microsoft-Windows-USB-USBHUB

Provides USB2 hub events

Microsoft-Windows-USB-USBPORT

Provides USB2 port events

Providers for USB3 events:

Provider Details

Microsoft-Windows-USB-USBHUB3

Provides USB3 hub events

Microsoft-Windows-USB-UCX

Provides USB UCX events

Microsoft-Windows-USB-USBXHCI

Provides USB XHCI events

Providers for Smart Card related USB events:

Provider Details

Microsoft-Windows-USB-CCID

Monitors Smart Card readers using USB to connect to the computer

Microsoft-Windows-Smartcard-Trigger

Triggers a log when inserting and removing a USB smart card reader

Example 2. Collecting USB logs from ETW

This configuration uses the im_etw module to collect logs when a USB Smart Card reader is inserted.

nxlog.conf
<Input etw>
    Module      im_etw
    Provider    Microsoft-Windows-Smartcard-Trigger
</Input>
Output sample
{
  "SourceName": "Microsoft-Windows-Smartcard-Trigger",
  "ProviderGuid": "{AEDD909F-41C6-401A-9E41-DFC33006AF5D}",
  "EventID": 1000,
  "Version": 0,
  "ChannelID": 0,
  "OpcodeValue": 0,
  "TaskValue": 0,
  "Keywords": "0",
  "EventTime": "2019-12-05T14:12:11.453805+01:00",
  "ExecutionProcessID": 13180,
  "ExecutionThreadID": 7608,
  "EventType": "INFO",
  "SeverityValue": 2,
  "Severity": "INFO",
  "Domain": "NT AUTHORITY",
  "AccountName": "LOCAL SERVICE",
  "UserID": "S-1-5-19",
  "AccountType": "Well Known Group",
  "Flags": "EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)",
  "ScDeviceEnumGuid": "{5a236687-d307-44e2-9241-e1c6c27ceb28}",
  "EventReceivedTime": "2019-12-05T14:12:13.457624+01:00",
  "SourceModuleName": "etw",
  "SourceModuleType": "im_etw"
}

USB log events in Windows Registry

When a USB device is inserted or ejected to and from a Windows system, the Plug-and-Play(PnP) manager triggers a query for the device, and then it stores the related information in the Windows Registry.

This information is stored in the registry keys under the following three registry paths.

  • "HKLM\SYSTEM\CurrentControlSet\Enum\USB\"

  • "HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\"

  • "HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\"

The first two stores information about the plugged-in USB devices. The third on stores additional information as USB drives are recognized as disks and mounted as a drive volume in the system. For more information, see the USB Device Registry Entries documentation from Microsoft.

These USB log events could be correlated based on the serial numbers of the USB devices.

This configuration uses the im_regmon module to collect USB related events from the Windows Registry. It scans the registry every 60 seconds.

nxlog.conf
<Input in>
    Module          im_regmon
    RegValue        'HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\*'
    RegValue        'HKLM\SYSTEM\CurrentControlSet\Enum\USB\*'
    RegValue        'HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\*'
    Recursive       TRUE
    ScanInterval    60
</Input>
Output sample
{
  "EventTime": "2019-10-20T11:07:56.473658+02:00",
  "Hostname": "Host",
  "EventType": "CHANGE",
  "RegistryValueName": "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_\\60A44C413A8CF320B9110053&0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0066\\",
  "PrevValueSize": 8,
  "ValueSize": 8,
  "DigestName": "SHA1",
  "PrevDigest": "a477f34abec7da133ad5ff2dcf67b3b7e089d2d6",
  "Digest": "e47f5d5668fa31237f198a2e4cb9bc78003f3cc8",
  "Severity": "WARNING",
  "SeverityValue": 3,
  "EventReceivedTime": "2019-10-20T11:07:56.473658+02:00",
  "SourceModuleName": "in",
  "SourceModuleType": "im_regmon"
}

USB events logged into a file

In Windows Vista and later editions, the Plug and Play (PnP) manager and SetupAPI log events about device installation into the SetupAPI.dev.log file. The file contains a wealth of information about all installed devices including the ones that have been attached via USB.

The file is located in the C:\Windows\INF directory. NXLog can read, parse and forward the logs contained in this file.

This configuration uses the im_file module to read the events from the SetupAPI.dev.log file.

nxlog.conf
<Input in>
    Module    im_file
    File      'C:\Windows\INF\SetupAPI.dev.log'
</Input>
Disclaimer

While we endeavor to keep the information in our guides up to date and correct, NXLog makes no representations or warranties of any kind, express or implied about the completeness, accuracy, reliability, suitability, or availability of the content represented here. We update our screenshots and instructions on a best-effort basis.

Last revision: 11 January 2020