USB Event Log Traces

The Windows registry tells you that a device was connected - the event logs tell you exactly when, for how long and what the OS did with it. Across seven distinct log channels, Windows records the complete connection lifecycle of a USB or external storage device: from the first kernel-level hardware detection through to driver unloading on disconnection. No single log tells the whole story. Cross-correlating all of them produces the most precise and tamper-resistant connection timeline available on any Windows endpoint.

Kernel-PnP / Device-Configuration

Log Channel Microsoft-Windows-Kernel-PnP/Device-Configuration

Log File Microsoft-Windows-Kernel-PnP%4Configuration.evtx

Enabled Default Yes Active on all modern Windows versions without additional configuration.

Connection Phase Earliest First log to fire - precedes all user-mode activity by milliseconds.

The kernel Plug and Play manager fires these events before any driver or user-mode process is aware the device exists. The timestamps here are the most authoritative connection anchors in the entire event log stack.

Event ID 400
DeviceInstanceID → USBSTOR\Disk&Ven_X&Prod_X&Rev_X\SerialNumber

Earliest timestamp of physical connection. The DeviceInstanceID embeds the Vendor ID, Product ID and serial number - identical to the USBSTOR registry subkey name.

Event ID 410
DeviceInstanceID, DriverName

Confirms the device is active on the system bus and a driver has been assigned. Immediately precedes keystroke injection on HID attack devices and filesystem access on mass storage.

Partition / Diagnostic

Log Channel Microsoft-Windows-Partition/Diagnostic

Log File Microsoft-Windows-Partition%4Diagnostic.evtx

Enabled Default Yes Active by default. Written during hardware enumeration without configuration.

Connection Phase Early Written when the partition manager inspects the raw disk geometry - before the filesystem mounts.

The partition manager reads the raw partition table of every newly attached disk below the filesystem layer. The geometry data captured here reflects the physical layout of the drive and cannot be faked via software.

Event ID 1006
PartitionStyle (MBR/GPT), Signature/DiskId, SectorCount, BytesPerSector
PartitionCount, Partition[n].Offset, Partition[n].Length, Partition[n].Type

Primary device fingerprinting event. Sector count and per-partition offsets can uniquely identify a specific physical drive. Hidden partitions are visible here even if they do not appear in Explorer.

StorageVolume / Operational

Log Channel Microsoft-Windows-StorageSpaces-Driver/Operational

Log File Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx

Enabled Default Yes Active on all modern Windows versions without additional configuration.

Connection Phase Mount Written the moment the volume manager makes the drive addressable to the OS.

Captures the precise moment the volume manager acknowledges a storage device and assigns it a Volume Unique ID (VUID). The VUID links this log directly to the HKLM\SYSTEM\MountedDevices registry key.

Event ID 1
VolumeId (VUID), DriveLetter (e.g. E:), VolumeSize

The definitive "drive became accessible" timestamp. Directly correlates to a MountedDevices registry entry via the VUID.

Event ID 2
VolumeId (VUID)

Written on clean removal. Absence of Event 2 following Event 1 for the same VUID indicates the drive was abruptly pulled.

DriverFrameworks-UserMode / Operational

Log Channel Microsoft-Windows-DriverFrameworks-UserMode/Operational

Log File Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx

Enabled Default No Must be explicitly enabled via Event Viewer or wevtutil sl ... /e:true.

Connection Phase Driver Load Tracks the full lifecycle of the user-mode driver host for the connected device.

When enabled, this is the most forensically complete USB connection log available. Vendor ID, Product ID and serial number appear inline in the event text - no registry lookup required. Also covers MTP devices invisible to USBSTOR.

Event ID 2003
DeviceInstanceId → VID_xxxx&PID_xxxx\SerialNumber, DriverBinaryName, HostProcessId

Primary connection event. Hardware identifiers are embedded directly in the event - no secondary correlation needed. Timestamp marks the start of the connection window.

Event ID 2004
HostProcessId, DeviceInstanceId

Marks the start of the sandboxed UMDF driver host session for the device.

Event ID 2100
DeviceInstanceId, OldState, NewState

Power state transition for the device. Correlate with system sleep/wake events to narrow the window during which a drive was accessible.

Event ID 2102
HostProcessId, ExitCode

Driver host process exited - the disconnection timestamp. Paired with Event 2003 to define the complete connection window.

System.evtx

Log Channel System

Log File System.evtx

Enabled Default Yes Always active. Core system events require no additional configuration.

Connection Phase Service / Driver Captures service and driver installation activity triggered by device connection.

Does not record USB connection events directly, but captures the service-layer side-effects. Malicious USB-triggered payloads installed as services leave clear traces here.

Event ID 7036
ServiceName, State (running / stopped)

Tracks the start and stop of services tied to the device. USBSTOR-related services starting immediately after physical connection corroborate the Kernel-PnP timeline.

Event ID 7045
ServiceName, ImagePath, ServiceType, StartType, AccountName

A new service was installed. If a BadUSB attack or malicious driver drops a service payload, this fires. An ImagePath pointing to a temp or user-writable directory is a red flag.

Security.evtx

Log Channel Security

Log File Security.evtx

Enabled Default Partial Object access auditing (4663) requires Advanced Audit Policy + SACL configuration on target paths.

Connection Phase File Access Records file-level interactions with the mounted volume if object auditing is enabled.

Does not record device connection directly. When object access auditing is configured, it is the only log that can prove which specific files were accessed on the USB volume.

Event ID 4656
ObjectName, AccessMask, SubjectUserName, ProcessName
Requires: Object Access auditing + SACL on monitored path

A process opened a handle to a file on the device. ProcessName distinguishes user-initiated access from automated indexing or backup tools.

Event ID 4663
ObjectName (e.g. E:\Document.docx), AccessMask, SubjectUserName
Requires: Object Access auditing + SACL on monitored path

Every read or write attempt against a file on the USB volume. The highest-confidence evidence for data exfiltration - proves which files were touched, by whom and when.

WPD-MTPClassDriver / Operational

Log Channel Microsoft-Windows-WPD-MTPClassDriver/Operational

Log File Microsoft-Windows-WPD-MTPClassDriver%4Operational.evtx

Enabled Default No Must be enabled manually. Inactive by default on most installations.

Connection Phase MTP Transfer Covers smartphones and cameras connected via Media Transfer Protocol.

Smartphones and digital cameras connected over MTP never appear as USBSTOR devices. This log is the only structured event source for those connections - essential in any phone-based exfiltration investigation.

Event ID 1000
DeviceFriendlyName, DeviceManufacturer, DeviceModel, SerialNumber

MTP device connected. Primary smartphone connection event - the human-readable device name and serial are recorded directly, absent from all USBSTOR registry paths.

Event ID 1001
DeviceFriendlyName, SerialNumber

MTP device disconnected. Combined with Event 1000 this defines the exact window during which the phone or camera was accessible for file transfer.

DeviceSetupManager / Operational

Log Channel Microsoft-Windows-DeviceSetupManager/Operational

Log File Microsoft-Windows-DeviceSetupManager%4Operational.evtx

Enabled Default Yes Active by default on Windows 10 and later.

Connection Phase Driver Install Records driver search and installation for newly attached devices.

Records automatic driver discovery for new devices - including the hardware ID used to search Windows Update or the local driver store. Provides an additional first-connection timestamp for devices triggering a fresh driver install.

Event ID 112
DeviceInstanceId (VID/PID/Serial), HardwareId

Windows began searching for a driver for a newly attached device. Fires only on first connection or when the existing driver is missing - provides an additional earliest-connection anchor.

Event ID 131
DeviceInstanceId, DriverStorePath, DriverInfSection

A driver package was applied to the device. An unexpected DriverStorePath - such as a user-writable or temp directory - suggests a custom or malicious driver was delivered via the device itself.

Forensic Value

Build a millisecond-precision connection timeline: Chain events from USB PnP and Kernel PnP to produce a complete, multi-source timeline from physical insertion through to disconnection.
Prove data exfiltration with file-level detail: If object access auditing is active, Security Event 4663 records the exact filename and user identity for every file touched on the USB volume.
Identify devices that left no registry trace: A sophisticated attacker may clear USBSTOR entries. Kernel-level events are not affected by registry cleanup and preserve the connection record independently.
Detect abrupt removal mid-exfiltration: A StorageVolume Event 1 with no corresponding Event 2 indicates the drive was pulled without ejecting, consistent with someone interrupted mid-transfer.

For more Info check out these Articles: USB PnP, Kernel PnP