StorageVolume/Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

While USB tracking via the registry is complex and spread across multiple hives, the StorageVolume log is refreshingly direct. Any time a volume is successfully recognized by the OS and mounted for use, it is logged here with a precise timestamp and a Volume Unique ID that maps directly into the registry's MountedDevices key.

Log Channel Microsoft-Windows-StorageSpaces-Driver/Operational - written by the storage volume manager

Trace Type USB Artifacts Volume Mounting Device Connection

Req. Audit Policy No Active by default. Volume events are logged without additional configuration on all modern Windows versions.

User Specific No System-wide. Volume mounting is an OS-level operation that occurs independently of the logged-in user.

General

The StorageVolume Operational log captures the moment the Windows volume manager acknowledges a new storage device and makes it addressable to the OS. The key data point is the Volume Unique ID (VUID) - a persistent identifier that bridges this event log directly to the HKLM\SYSTEM\MountedDevices registry key. This gives investigators an explicit, timestamped record of exactly when the OS said "this volume is now mounted" - an action that is very difficult to fake or suppress without disabling the logging infrastructure entirely.

Traces

The most forensically significant Event IDs in the StorageVolume Operational log are:

Event ID	Description
1	Volume recognized and mounted. Contains the Volume Unique ID (VUID), drive letter assigned and volume capacity. Directly correlates to the MountedDevices registry key.
2	Volume dismounted. Records the VUID and timestamp of removal - provides the disconnect time for a storage device to complement the connection timestamp from Event ID 1.

Forensic Value

Timestamp USB volume mounting: Event ID 1 provides a precise UTC timestamp for when the OS made a removable volume accessible to the user - more reliable than registry last-write times for establishing connection order.
Bridge to registry artifacts: The VUID in Event ID 1 maps directly to a MountedDevices registry entry, linking the timestamped log event to the persistent device identifier stored in the SYSTEM hive.
Establish connection/disconnection windows: Pairing Event 1 and Event 2 timestamps for the same VUID defines the exact window during which a removable drive was accessible and available for data transfer.
Validate device connection claims: Cross-referencing StorageVolume events against Kernel-PnP and SetupAPI log entries for the same timeframe provides multi-source corroboration of a device's presence on the system.