Windows USB auditing
Portable devices provide the user easy access to company data in a corporate environment. As the usage of USB devices increases, so do the risks associated with them.
This section discusses the possibilities of collecting USB-related log events in a Microsoft Windows environment using NXLog Agent.
There are four ways USB activity logs can be tracked down.
-
From Windows Event Log
-
Tracing them using ETW
-
Monitoring them in Windows Registry
-
Looking at the file system
USB logs in Windows Event Log
Microsoft Windows logs USB-related events into Windows Event Log. They are logged under the System and Security channels as well as in various places under the Applications and Services Logs\Microsoft\Windows path in Event Viewer.
These events are only generated once, during the driver installation phase, when the external device is connected for the first time.
The logging of these events is enabled by default. |
Source | Trigger Condition | Event ID |
---|---|---|
DriverFramework-Usermode |
First connection |
10000 |
UserPNP |
Installed or updated |
20001 |
WPD-ClassInstaller |
Successful Installation |
24576 |
These events are generated when some kind of USB activity is observed by the Operating System.
The logging of these events is not enabled by default. |
Plug and Play events
They are generated whenever a device is plugged in. Tracking these USB events is useful for auditing purposes.
Object Access Audit Events
They can be used to monitor object manipulation, such as creation, deletion as well as other changes. This can be useful for monitoring for possible data leaks.
These two events can be turned on in the Local Security Policy or by the auditpol tool with the command below in Windows PowerShell.
auditpol /set /subcategory:"Plug and Play Events","Removable
Storage","Handle Manipulation" /success:enable /failure:enable
The following command could be used to check the status of subcategories if necessary.
auditpol /get /subcategory:"Plug and Play Events","Removable
Storage","Handle Manipulation"
Source | Trigger Condition | Event ID |
---|---|---|
Plug and Play (detailed tracking) |
Device connection |
6416 |
Object Access Audit |
Handle request |
4656 |
Object Access Audit |
Attampt to access an object |
4663 |
Event 4663 is the most useful. This event logs the exact operation on the object and which process executed it.
There are some useful USB logs located under the Applications and Services Logs\Microsoft\Windows path in Windows Event Viewer, these sources listed below. The sources contain different information about different aspects of the subject.
Source | Trigger Condition | Event ID |
---|---|---|
Partition Diagnostic |
Connection and ejection. |
1006 |
NTFS |
Connection |
142 |
StorSVC Diagnostic |
Connection |
1001 |
DriverFrameworks-UserMode (not enabled by default) |
Connection |
1003, 1004, 2000, 2001, 2003, 2004, 2005, 2006, 2010, 2100, 2101, 2105, 2016 |
Ejection |
1006, 1008, 2100, 2101, 2102, 2105, 2106, 2900, 2901 |
|
Kernel-PnP |
First connection |
400, 410, 430 |
DeviceSetupManager-Admin |
First Connection |
112 |
The group of events created in Microsoft-Windows-DriverFrameworks-UserMode correlate to each other based on their LifetimeIds. They will be the same for the corresponding events. |
Microsoft-Windows-DriverFrameworks-UserMode
LoggingEnabling on a local computer:
In Event Viewer (eventvwr
) under Applications and Services
Logs > Microsoft > Windows > DriverFrameworks-UserMode\Operational,
right-click on Operational and select Enable Log.
Enabling on multiple computers in an Active Directory Domain environment
using wevtutil
:
-
Enable a Remote Administration exception on the firewall of the client computers via a GPO. The following needs to be enabled.
[Computer Configuration\Administrative Templates\Network\Network Connections\Windows Firewall\Domain Profile\Windows Firewall: Allow inbound remote administration exception]
-
Prepare a text file for the client computer names. For example,
c:\computers.txt
. -
Run the following command with Domain Administrator’s privilege.
for /F %i in (c:\computers.txt) do wevtutil sl Microsoft-Windows-DriverFrameworks-UserMode/Operational /e:true /r:%i
The following PowerShell command checks the status of logging:
Get-WinEvent -ListLog Microsoft-Windows-DriverFrameworks-UserMode/Operational | Format-List IsEnabled
This configuration uses the im_msvistalog module to
collect USB events. EventIDs that are useful from the audit perspective are
listed in the configuration define
lines.
<Extension _xml>
Module xm_xml
</Extension>
# StorSvc Diagnostic
define ID1 1001
# PnP detailed tracking
define ID2 6416
# Partition Diagnostic
define ID3 1006
# NTFS
define ID4 142
# DriverFw preconnection
define ID5 1003
# DriverFw connection-related
define ID6 2003
# DriverFw removal-related
define ID7 1008
# System: DriverFramework-Usermode
define ID8 10000
# System: UserPNP
define ID9 20001
#Object Access Audit
define ID10 4656
<Input in>
Module im_msvistalog
# For Windows 2003 and earlier, use the im_mseventlog module.
<QueryXML>
<QueryList>
<Query Id="0" Path="Security">
<Select Path="Security">*</Select>
<Select Path="System">*</Select>
<Select \
Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">* \
</Select>
<Select Path="Microsoft-Windows-Ntfs/Operational">*</Select>
<Select Path="Microsoft-Windows-Partition/Diagnostic">*</Select>
<Select Path="Microsoft-Windows-Storsvc/Diagnostic">*</Select>
</Query>
</QueryList>
</QueryXML>
<Exec>
if ($EventID NOT IN (%ID1%)) and
($EventID NOT IN (%ID2%)) and
($EventID NOT IN (%ID3%)) and
($EventID NOT IN (%ID4%)) and
($EventID NOT IN (%ID5%)) and
($EventID NOT IN (%ID6%)) and
($EventID NOT IN (%ID7%)) and
($EventID NOT IN (%ID8%)) and
($EventID NOT IN (%ID9%)) and
($EventID NOT IN (%ID10%)) drop();
if $UserData parse_xml($UserData);
</Exec>
</Input>
{
"EventTime": "2019-10-19T20:41:06.700337+02:00",
"Hostname": "Host",
"Keywords": "9223372036854775808",
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"EventID": 1008,
"SourceName": "Microsoft-Windows-DriverFrameworks-UserMode",
"ProviderGuid": "{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}",
"Version": 1,
"TaskValue": 18,
"OpcodeValue": 2,
"RecordNumber": 42756,
"ExecutionProcessID": 908,
"ExecutionThreadID": 504,
"Channel": "Microsoft-Windows-DriverFrameworks-UserMode/Operational",
"Domain": "NT AUTHORITY",
"AccountName": "SYSTEM",
"UserID": "S-1-5-18",
"AccountType": "User",
"Message": "The host process ({1208e11e-4339-4c06-86bb-7430fd254ee6}) has been shutdown.",
"Category": "Shutdown of a driver host process.",
"Opcode": "Stop",
"UserData": "<UMDFDriverManagerHostShutdown xmlns='http://www.microsoft.com/DriverFrameworks/UserMode/Event'><LifetimeId>{1208e11e-4339-4c06-86bb-7430fd254ee6}</LifetimeId><TerminateStatus>0</TerminateStatus><ExitCode>0</ExitCode></UMDFDriverManagerHostShutdown>",
"EventReceivedTime": "2019-10-19T20:41:08.115696+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_msvistalog",
"UMDFDriverManagerHostShutdown.LifetimeId": "{1208e11e-4339-4c06-86bb-7430fd254ee6}",
"UMDFDriverManagerHostShutdown.TerminateStatus": "0",
"UMDFDriverManagerHostShutdown.ExitCode": "0"
}
USB logs available via ETW
USB events can be retrieved by using Event Tracing for Windows (ETW) providers. There are several providers you can use to retrieve information about USB-related activity. The most notable ones are listed below.
Providers for USB2 events:
Provider | Details |
---|---|
Microsoft-Windows-USB-USBHUB |
Provides USB2 hub events |
Microsoft-Windows-USB-USBPORT |
Provides USB2 port events |
Providers for USB3 events:
Provider | Details |
---|---|
Microsoft-Windows-USB-USBHUB3 |
Provides USB3 hub events |
Microsoft-Windows-USB-UCX |
Provides USB UCX events |
Microsoft-Windows-USB-USBXHCI |
Provides USB XHCI events |
Providers for Smart Card related USB events:
Provider | Details |
---|---|
Microsoft-Windows-USB-CCID |
Monitors Smart Card readers using USB to connect to the computer |
Microsoft-Windows-Smartcard-Trigger |
Triggers a log when inserting and removing a USB smart card reader |
This configuration uses the im_etw module to collect logs when a USB Smart Card reader is inserted.
<Input etw>
Module im_etw
Provider Microsoft-Windows-Smartcard-Trigger
</Input>
{
"SourceName": "Microsoft-Windows-Smartcard-Trigger",
"ProviderGuid": "{AEDD909F-41C6-401A-9E41-DFC33006AF5D}",
"EventID": 1000,
"Version": 0,
"ChannelID": 0,
"OpcodeValue": 0,
"TaskValue": 0,
"Keywords": "0",
"EventTime": "2019-12-05T14:12:11.453805+01:00",
"ExecutionProcessID": 13180,
"ExecutionThreadID": 7608,
"EventType": "INFO",
"SeverityValue": 2,
"Severity": "INFO",
"Domain": "NT AUTHORITY",
"AccountName": "LOCAL SERVICE",
"UserID": "S-1-5-19",
"AccountType": "Well Known Group",
"Flags": "EXTENDED_INFO|IS_64_BIT_HEADER|PROCESSOR_INDEX (577)",
"ScDeviceEnumGuid": "{5a236687-d307-44e2-9241-e1c6c27ceb28}",
"EventReceivedTime": "2019-12-05T14:12:13.457624+01:00",
"SourceModuleName": "etw",
"SourceModuleType": "im_etw"
}
USB log events in Windows Registry
When a USB device is inserted or ejected to and from a Windows system, the Plug-and-Play(PnP) manager triggers a query for the device, and then it stores the related information in the Windows Registry.
This information is stored in the registry keys under the following three registry paths.
-
"HKLM\SYSTEM\CurrentControlSet\Enum\USB\"
-
"HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\"
-
"HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\"
The first two stores information about the plugged-in USB devices. The third on stores additional information as USB drives are recognized as disks and mounted as a drive volume in the system. For more information, see the USB Device Registry Entries documentation from Microsoft.
These USB log events could be correlated based on the serial numbers of the USB devices. |
This configuration uses the im_regmon module to collect USB related events from the Windows Registry. It scans the registry every 60 seconds.
<Input in>
Module im_regmon
RegValue 'HKLM\SYSTEM\CurrentControlSet\Control\DeviceClasses\*'
RegValue 'HKLM\SYSTEM\CurrentControlSet\Enum\USB\*'
RegValue 'HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR\*'
Recursive TRUE
ScanInterval 60
</Input>
{
"EventTime": "2019-10-20T11:07:56.473658+02:00",
"Hostname": "Host",
"EventType": "CHANGE",
"RegistryValueName": "HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR\\Disk&Ven_Kingston&Prod_DataTraveler_3.0&Rev_\\60A44C413A8CF320B9110053&0\\Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\0066\\",
"PrevValueSize": 8,
"ValueSize": 8,
"DigestName": "SHA1",
"PrevDigest": "a477f34abec7da133ad5ff2dcf67b3b7e089d2d6",
"Digest": "e47f5d5668fa31237f198a2e4cb9bc78003f3cc8",
"Severity": "WARNING",
"SeverityValue": 3,
"EventReceivedTime": "2019-10-20T11:07:56.473658+02:00",
"SourceModuleName": "in",
"SourceModuleType": "im_regmon"
}
USB events logged into a file
In Windows Vista and later editions, the Plug and Play (PnP) manager and SetupAPI log events about device installation into the SetupAPI.dev.log file. The file contains a wealth of information about all installed devices including the ones that have been attached via USB.
The file is located in the C:\Windows\INF directory. NXLog can read, parse and forward the logs contained in this file.
This configuration uses the im_file module to read the events from the SetupAPI.dev.log file.
<Input in>
Module im_file
File 'C:\Windows\INF\SetupAPI.dev.log'
</Input>