Solved

XP and USB Devices - is there a system event log?

Posted on 2010-09-15
10
2,182 Views
Last Modified: 2012-05-10
We have a LAN based system within a WAN using bespoke software with a Sentinel type USB dongle to authenticate the installation.  

Today it's missing, presumably someone is going to be disappointed with their newly acquired USB memory stick!

Now I can trace when the software last authenticated a user but as the XP machine that acts as the host "server" is always on will there be a timed record within Windows of when the device was removed? (There are no other USB devices that would be connected or removed duing the same period).

0
Comment
Question by:☠ MASQ ☠
  • 4
  • 4
  • 2
10 Comments
 
LVL 20

Accepted Solution

by:
woolnoir earned 500 total points
ID: 33681146
I dont believe XP logs the removal of USB devices. Just tested an XP machine here with a usb stick and nothing.
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33681160
although - http://thepcsecurity.com/usbdeview-usb-event-log-file-to-remember-usb-device-connections/ this software claims to be able to determine times, so give it a try.
0
 
LVL 11

Expert Comment

by:farjadarshad
ID: 33681215
yes in event viewer move on to system here check all event with eventid= 7035 and source= system . Now one of the event contain following message

"The Universal Plug and Play Device Host service was successfully sent a start control".

note the above event's date and time. Hope this will help you


0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 62

Author Comment

by:☠ MASQ ☠
ID: 33683791
Tried event viewer but there are no instances of USB device plug/unplugs recorded.
Tried with a USB memory stick and it wasn't recorded :(

Will check the link but suspect it may be a service that needs to be present ahead of the event.
0
 
LVL 62

Author Comment

by:☠ MASQ ☠
ID: 33685729
Am trying http://www.nirsoft.net/utils/usb_devices_view.html
Which although not logging every use logs the most recent changes - will let you know how it goes but if there are any other ideas ....
0
 
LVL 20

Expert Comment

by:woolnoir
ID: 33685770
yeah i tried it myself earlier (the one i suggested above ) and it didnt pick anything up, and since there is nothing in my event log for USB drive addition/removal that makes sense.
0
 
LVL 11

Expert Comment

by:farjadarshad
ID: 33688411
But i have tested the USB event, personally on my system, which i have already mentioned above. i would suggest you to search all the system events with event id = 7035 and 7036. I hope any of them contains the following information.

"The Universal Plug and Play Device Host service was successfully sent a start control".

Hope you will get your desired result
0
 
LVL 62

Author Comment

by:☠ MASQ ☠
ID: 33690861
No, have done this and although there are 7035 and 7036 start and stop messages no USB devices are recorded in the log.  They all refer to network services.
 
The utility I linked to certainly records all the USB devices that have been plugged grabbing from both Registry and Device Manger but although some plug/unplug dates are recorded it's not consistent and misses the Key I'm interested in (but it's UUID is displayed together with date first installed).
I now don't think Event Manager handles this natively in XP much as woolnoir states in their first post.
0
 
LVL 20

Assisted Solution

by:woolnoir
woolnoir earned 500 total points
ID: 33691894
The interesting thing about farjadarshad's post is that it mentions Universal Plug and Play Device Host which is UPnP - strictly speaking this is nothing to do with traditional PnP i.e hot plugging devices, i don't know why it would show an event for a USB key insertion/removal - that being said 7035 and 7036 do match device removal.

I've had a chat with a few colleagues or mine and they have both said Vista was the first OS which this could be tracked natively - it got added in line with some new USB GPO control for USB devices.
0
 
LVL 62

Author Comment

by:☠ MASQ ☠
ID: 33803027
As posted this isn't available on XP and was introduced as a service in Vista.  There are tools that will collate data based on system logs and device manager but they are far from 100% acurate.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article we have discussed the manual scenarios to recover data from Windows 10 through some backup and recovery tools which are offered by it.
What do we know about Legacy Video Conferencing? - Full IT support needed! - Complicated systems at outrageous prices! - Intense training required! Highfive believes we need to embrace a new alternative.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Two types of users will appreciate AOMEI Backupper Pro: 1 - Those with PCIe drives (and haven't found cloning software that works on them). 2 - Those who want a fast clone of their boot drive (no re-boots needed) and it can clone your drive wh…

861 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question