Kernel-PnP/Device-Configuration

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-PnP%4Configuration.evtx

Kernel-PnP manages the deepest layer of hardware connection on Windows - power routing, driver validation and device bus authorization. It fires before any user-mode component is aware that a device exists, making its timestamps the earliest and most authoritative connection anchors available in the entire Windows event log ecosystem.

Log Channel Microsoft-Windows-Kernel-PnP/Device-Configuration - written by the kernel Plug and Play manager

Trace Type USB Artifacts Hardware Enumeration Driver Loading

Req. Audit Policy No Active by default. Kernel-PnP events are generated during hardware enumeration without any additional configuration.

User Specific No System-wide. Hardware enumeration operates at the kernel level independently of user sessions.

General

Kernel-PnP (Plug and Play) is the OS component that arbitrates direct hardware access at the kernel level. When a device is connected to the system bus, Kernel-PnP is responsible for allocating resources, selecting the appropriate driver and authorizing the device before any higher-level service or user-mode process can interact with it. The events it generates include the device instance path, hardware IDs and compatible IDs - the same identifiers that appear in the USBSTOR registry key. Because this logging occurs at the kernel level, it cannot be influenced by user-space processes and provides the most reliable connection timestamps available for physical device tracking.

Traces

The most forensically significant Event IDs in the Kernel-PnP log are:

Event ID	Description
400	Device configuration started. The kernel begins enumerating the device and matching it against available drivers. Contains the hardware ID and device instance path.
410	Device started successfully. Confirms the device is now active on the system bus. The timestamp here is the earliest reliable proof of connection - preceding all user-mode activity by milliseconds.

Forensic Value

Establish the earliest connection timestamp: Event ID 410 fires before any user-mode driver, filesystem or application is aware of the device, making it the most authoritative anchor for when a peripheral became active on the system.
Detect HID attack devices: A USB HID (Human Interface Device) like a Rubber Ducky or BadUSB enumerates through Kernel-PnP milliseconds before any keystrokes are injected - the event timestamp directly precedes the attack activity.
Extract hardware identifiers: The device instance path in events 400 and 410 contains Vendor ID, Product ID and serial number fields that directly correlate to USBSTOR registry entries for the same device.
Corroborate multi-source USB timelines: Kernel-PnP timestamps serve as ground truth when cross-validating against SetupAPI logs, StorageVolume events and USBSTOR registry last-write times for the same device connection event.