locked
Event ID when plug n play devices are connected RRS feed

  • Question

  • Hi,

    I have a situation in my office Network and I am trying to stop this. The social networking websites are blocked in my corporate network. To overcome this, some of the users bring their own USB 3G modem devices and access the internet. I need to stop this, or atleast know who all are doing so. I guess, I will be able to identify this by monitoring the event ID in the computers. I have with me a script to trigger e-mails whenever a particular event ID is logged in the computers. But, I do not know the event ID. Does any one know the exact Event ID which will be logged in the computer when a USB device or a plug and play device is connected to the computer? Any other ideas on this is also welcome.

    All the machines in the corporate network is running a mix of Windows XP and Windows 7.

    Thank you.

    Tuesday, April 30, 2013 9:37 AM

Answers

  • There is System Event 7036, Service Control Manager:

    The Portable Device Enumerator Service service entered the running state.

    .

    This occurs whenever a USB device is plugged in I believe.  And I think that is the ONLY thing you are going to get, though.

    .

    There is more info here on U3-Enabled Devices which might help.

    http://www.forensicswiki.org/wiki/USB_History_Viewing

    Tuesday, April 30, 2013 3:41 PM

All replies

  • There is System Event 7036, Service Control Manager:

    The Portable Device Enumerator Service service entered the running state.

    .

    This occurs whenever a USB device is plugged in I believe.  And I think that is the ONLY thing you are going to get, though.

    .

    There is more info here on U3-Enabled Devices which might help.

    http://www.forensicswiki.org/wiki/USB_History_Viewing

    Tuesday, April 30, 2013 3:41 PM
  • Hi Friendz,

    Do you have an update on this?

    M


    If you find my information useful, please rate it. :-)

    Monday, May 13, 2013 6:15 PM
    Moderator