Mrrrr
AdMiN
 Inregistrat: acum 17 ani
Postari: 2186
|
|
Method 1 - using regedit (SOURCE 1)
To find the USB history of your device, take the following steps:
1: Go to Run and type regedit, then press Enter
2: In the registry, go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
3: When you will click on the USBSTOR key, you can get a list of all the USB devices that have been connected to this computer.
4: Click on any one device from the list and click on the subkey on the right side. You will find an entry with the name "friendlyname." Just in front of this entry, you can easily see what type of USB device this is.
Method 2 - using PoweShell script (SOURCE 2)
1: Go to Run and type powershell, then press Enter
2: At the prompt, paste the following script then press Enter:
Push-Location
Set-Location HKLM:\
$devices = Get-item 'HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\*\*'
Get-ItemProperty $devices | Select-Object -Property @{Name='SerialNumber';Expression={$_.PSChildName.TrimEnd('&0').split('&')[-1]}}, FriendlyName,Class
Pop-Location |
Method 3 - using a software (SOURCE 4)
1. Go to
2. Download their portable software USBDeview v3.03
3. After extraction, run USBDeview.exe to see all USB devices that were connected to the computer, not only storage devices.
Enable USB drive usage history (SOURCE 3)
1. Go to Run and type eventvwr, then press Enter
2. Navigate to Applications and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational
3. Right click on Operational and select Properties, then the Enable Logging checkbox
4. Choose one of the options below according to your preference (I chose the latter)
- Overwrite events as needed (oldest events first)
- Archive the log when full, do not overwrite events
- Do not overwrite events (clear logs manually)
5. Click OK.
6. Now connect a USB drive and see the logging information.
Tracking a USB flash drive connection
When you connect a USB flash drive to your system, a number of Information and Verbose Level event records are generated in the Operational Log. These records will consist of the following Event IDs:
2003
2004
2006
2010
2100
2101
2105
2106
For example, when I connected a USB flash drive to my system, Event Viewer displayed those event records in the Operational Log, as shown in the image below.
image below straight from source 3, if source 3 site dies there will be no image:
As you can see, the first couple of event records pertain to loading drivers for the particular USB flash drive. The rest of the records pertain to the pnp (Plug-and-Play) or Power Management operations that get the drive ready to go to work in Windows 10. You’ll also see that each event record has the same Date And Time stamp that corresponds to the instant that the USB flash drive was connected to the system.
The majority of these records contain a coded name for the device that will help you identify the device in a generic way. However, each device’s unique serial number is also included in the majority of these records, which will allow you to identify specific USB flash drives.
As you might have guessed, by combining the date and time stamp with the device’s unique serial number, you can find out exactly when a particular device was connected to the system. Pretty good so far, right?
However, connecting the USB flash drive generated 16 event records. Fortunately, all the records are generated at the same time, and the majority of the event records contain the unique serial number. Therefore, you need to investigate only one record to get what you need.
When a USB flash drive is connected, the first recorded event record is Event ID 2003. So by noting the date and time stamp assigned to an Event ID 2003 record, you can tell exactly when a USB flash drive was connected to the system. If you then open the Event ID 2003 record, as shown in the next photo, you can find all the information you need.
image below straight from source 3, if source 3 site dies there will be no image:
The General tab of the Event 2003 properties dialog displays all the pertinent information. To make it easier to see the individual pieces of this information, I’ve applied a highlighter to the screen shot:
The green highlight shows the coded name for the device: USBSTOR#DISK indicates that this is a USB flash drive, and VEN_SANDISK&PROD_ULTRA tells us that this is a Sandisk Ultra 3.0 USB flash drive.
The yellow highlight shows where in the string you can find the device’s unique serial number.
The orange highlight shows the date and time that the USB flash drive was connected to the system.
Tracking a USB flash drive disconnection
When you eject or disconnect a USB device, a couple of Information Level event records are generated in the Operational Log:
2100
2102
These events records also contain a date and time stamp along with the device’s unique serial number. Even though there are multiple Event ID 2102 event records for a disconnection, the Event ID is unique to a disconnect. As such, by investigating the Event ID 2102 event record, you can find out exactly when a particular device was disconnected from the system. When you open an Event ID 2102 record, as shown in the next picture, you can find all the information that you need.
image below straight from source 3, if source 3 site dies there will be no image:
On the General tab of the Event 20102 properties dialog, you can find all the pertinent information. To make it easier to see the individual pieces of pertinent information, I’ve applied a highlighter to the screen shot.
The green highlight shows the coded name for the device: USBSTOR#DISK indicates that this is a USB flash drive and VEN_SANDISK&PROD_ULTRA tells us that this is a Sandisk Ultra 3.0 USB flash drive.
The yellow highlight shows you where in the string that you can find the device’s unique serial number.
The orange highlight shows the date and time when the USB flash drive was connected to the system.
Creating a Custom View
As you can imagine, over time connecting and disconnecting multiple USB flash drivers, the Operation Log will contain a lot of records. To make it easier to track down Event ID 2003 and Event ID 2102 event records in the Operational Log, you can create a Custom View.
To do so, make sure that the Operational Log is showing in Event Viewer, then pull down the Action menu and select the Create Custom View command. When you see the Create Custom View dialog, all you have to do is select the Information check box in the Event Level section and type 2003 and 2102 in the Includes/Excludes Event IDs box, as shown in the next image.
image below straight from source 3, if source 3 site dies there will be no image:
After you configure your Custom View, click OK. You’ll then see the Save Filter To Custom View dialog box. At this point, simply enter a name, as shown below, and click OK.
image below straight from source 3, if source 3 site dies there will be no image:
Now, to access your Custom View, just select it from the Custom Views tree. The USB Flash Drive Connect-Disconnect Tracker view displays only the event records you need monitor USB flash drives, as shown below.
image below straight from source 3, if source 3 site dies there will be no image:
To make this Custom View even easier to use, pull down the View menu and select the Group By > Event ID command. When you do so, you’ll be able to more easily identify connect and disconnect events, as shown in the image below.
image below straight from source 3, if source 3 site dies there will be no image:
Putting it all together
By finding the same unique USB flash drive serial number in corresponding Event ID 2003 and Event ID 2102 event records and then applying some math to the date and time stamp numbers, you can tell exactly how long a particular USB flash drive was connected to your system.
Caveats
While the Operational Log shows USB flash drive connect and disconnect events, that’s not the only USB device information this log displays. It may show event records for other USB devices as well. So just be aware of that as you look through the event records.
If you find an Event ID 2003 event record for a specific USB flash drive but don’t find a corresponding Event ID 2102 event record, that either means that the USB flash drive is still attached to the system or the system was shut down before the device was removed. The latter makes tracking a disconnect event a bit more tricky, but not impossible. You can investigate recent shutdowns as a means of determining when a USB flash drive was disconnected. You can track recent shutdowns by creating a Custom View and specifying Windows > System as the Event log, User32 as the Event source, and 1074 as the Event ID.
Sources:
1.
2.
3.
4.
_______________________________________
|
|
