☠ MASQ ☠
asked on
XP and USB Devices - is there a system event log?
We have a LAN based system within a WAN using bespoke software with a Sentinel type USB dongle to authenticate the installation.
Today it's missing, presumably someone is going to be disappointed with their newly acquired USB memory stick!
Now I can trace when the software last authenticated a user but as the XP machine that acts as the host "server" is always on will there be a timed record within Windows of when the device was removed? (There are no other USB devices that would be connected or removed duing the same period).
Today it's missing, presumably someone is going to be disappointed with their newly acquired USB memory stick!
Now I can trace when the software last authenticated a user but as the XP machine that acts as the host "server" is always on will there be a timed record within Windows of when the device was removed? (There are no other USB devices that would be connected or removed duing the same period).
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Adrian Cantrill
although - http://thepcsecurity.com/usbdeview-usb-event-log-file-to-remember-usb-device-connections/ this software claims to be able to determine times, so give it a try.
yes in event viewer move on to system here check all event with eventid= 7035 and source= system . Now one of the event contain following message
"The Universal Plug and Play Device Host service was successfully sent a start control".
note the above event's date and time. Hope this will help you
"The Universal Plug and Play Device Host service was successfully sent a start control".
note the above event's date and time. Hope this will help you
ASKER
Tried event viewer but there are no instances of USB device plug/unplugs recorded.
Tried with a USB memory stick and it wasn't recorded :(
Will check the link but suspect it may be a service that needs to be present ahead of the event.
Tried with a USB memory stick and it wasn't recorded :(
Will check the link but suspect it may be a service that needs to be present ahead of the event.
ASKER
Am trying http://www.nirsoft.net/utils/usb_devices_view.html
Which although not logging every use logs the most recent changes - will let you know how it goes but if there are any other ideas ....
Which although not logging every use logs the most recent changes - will let you know how it goes but if there are any other ideas ....
yeah i tried it myself earlier (the one i suggested above ) and it didnt pick anything up, and since there is nothing in my event log for USB drive addition/removal that makes sense.
But i have tested the USB event, personally on my system, which i have already mentioned above. i would suggest you to search all the system events with event id = 7035 and 7036. I hope any of them contains the following information.
"The Universal Plug and Play Device Host service was successfully sent a start control".
Hope you will get your desired result
"The Universal Plug and Play Device Host service was successfully sent a start control".
Hope you will get your desired result
ASKER
No, have done this and although there are 7035 and 7036 start and stop messages no USB devices are recorded in the log. They all refer to network services.
The utility I linked to certainly records all the USB devices that have been plugged grabbing from both Registry and Device Manger but although some plug/unplug dates are recorded it's not consistent and misses the Key I'm interested in (but it's UUID is displayed together with date first installed).
I now don't think Event Manager handles this natively in XP much as woolnoir states in their first post.
The utility I linked to certainly records all the USB devices that have been plugged grabbing from both Registry and Device Manger but although some plug/unplug dates are recorded it's not consistent and misses the Key I'm interested in (but it's UUID is displayed together with date first installed).
I now don't think Event Manager handles this natively in XP much as woolnoir states in their first post.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
As posted this isn't available on XP and was introduced as a service in Vista. There are tools that will collate data based on system logs and device manager but they are far from 100% acurate.