Partition/Diagnostic.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Partition%4Diagnostic.evtx

Primarily a diagnostic channel for troubleshooting failing drives, this log has a deceptively powerful secondary purpose in forensics. It exposes deep low-level details about the partitioning scheme and geometry of every newly attached drive - data that can uniquely fingerprint a suspect device even when no other identifying information survives.

Log Channel Microsoft-Windows-Partition/Diagnostic - written by the Windows partition manager during device enumeration

Trace Type USB Artifacts Device Geometry Partition Analysis

Req. Audit Policy No Active by default. Diagnostic events are generated automatically during device attachment and enumeration.

User Specific No System-wide. Partition analysis is performed by the OS at the kernel level during device initialization.

General

The Partition Diagnostic log is written by the Windows partition manager the moment a new disk is attached and enumerated. Unlike higher-level volume events, it operates at the raw disk geometry layer - reading the partition table before any filesystem driver gets involved. This gives investigators access to whether the drive uses MBR or GPT, the number and offset of partitions, sector sizes and any non-standard layout that may indicate a custom formatting tool was used. Because this inspection happens during hardware enumeration, it cannot be suppressed by disabling Autorun or blocking volume mounting.

Traces

The most forensically significant Event IDs in the Partition Diagnostic log are:

Event ID	Description
1006	Disk geometry and partition layout recorded. Contains the partition style (MBR/GPT), total sectors, sector size, number of partitions and per-partition offset data. The primary device fingerprinting source in this log.

Forensic Value

Fingerprint a suspect drive: The sector count, partition offsets and partition style in Event ID 1006 can uniquely identify a specific device, especially one formatted with a non-standard tool like Rufus with custom partition alignment settings.
Detect hidden partitions: Comparing the partition count and offsets in the event against what a file explorer or standard disk utility shows can reveal concealed partitions used for data staging or exfiltration.
Establish device connection timestamps: The event timestamp provides a kernel-level anchor for when the drive was physically enumerated - independent of filesystem metadata or user-mode activity, making it highly reliable for timeline construction.
Distinguish device types: MBR vs GPT and sector size data helps distinguish consumer USB drives from enterprise storage or custom forensic media, narrowing device attribution significantly.