none
Retrieving USB Devices Connection from Event Log .evtx file RRS feed

  • Question

  • I'm to retrieve a list of all the usb devices connected or disconnected from a Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx file.

    This is my current script

    #clear the screen
    cls
    
    #ignore any errors
    #$ErrorActionPreference = "SilentlyContinue"
    
    #Variables start
    
    #empty if needed
    $USBevents = @()
    #result log
    $SavedName = "Devices Connected Disconnected Report $(get-date -f yy-MM-dd).htm"
    $USBresults = $PSScriptRoot + "\" + $SavedName
    #event log to load
    $LoadName = "Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx"
    $USBlog = $PSScriptRoot + "\" + $LoadName
    #xml paths
    $ns = @{'ns'='http://schemas.microsoft.com/win/2004/08/events/event'}
    $UMDF_xpath = "//ns:Data[@Name='UMDFHostDeviceRequest instance']"
    $ComputerID_xpath = "//ns:[@Name='Computer']"
    $usersid_xpath = "//ns:System[@Name='Security UserID']"
    #In the XPath statement, prefix each node name with the namespace name and a colon, such as //namespaceName:Node.
    
    #ensure results have suitable descriptions
        $type_lu = @{2003 = 'Query to load USB Drivers'
                     2004 = 'Loading Drivers for new Device'
                     2005 = 'Loading Drivers for new Device'
                     2100 = 'Power Operation for USB Device'
                     2101 = 'Power Operation for USB Device'
                     2102 = 'Power Operation for USB Device'
                     2105 = 'Power Operation for USB Device'
                     2106 = 'Power Operation for USB Device'
                     2103 = 'Error for Power Operation for USB Device'
                     2104 = 'USB Device Power Event'
                     2107 = 'USB Device Power Event'
                     2108 = 'USB Device Power Event'
                     2109 = 'USB Device Power Event'
                    }
    
    #variables end
    
    
    #set HTML style for results
    $HTMLstyle = ""
    $HTMLstyle = $HTMLstyle + "BODY{background-color:peachpuff;}"
    $HTMLstyle = $HTMLstyle + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
    $HTMLstyle = $HTMLstyle + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:thistle}"
    $HTMLstyle = $HTMLstyle + "TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:palegoldenrod}"
    $HTMLstyle = $HTMLstyle + ""
    $HTMLbodySYS = "USB Devices - Connected and Disconnected"
    $HTMLbodySEC = "USB Devices - Connected and Disconnected"
    $CSSStyle = @'
                
                ul {
                    padding-left: 5px;
                   }
                body { background-color:White;
                font-family:Tahoma;
                    font-size:12pt;
                     }
                td, th {border:1px solid black;} 
                th {
                    color: black;
                    background-color:peachpuff;
                   }
                td { border-width: 1px;padding: 1px;border-style: solid;border-color: black; }
                TR:Hover TD { Background-Color: #C1D5F8; }
                table, tr, td, th { align:left; padding: 10px; margin: 0px; }
                table { width:75% }
                table { margin-left:0px; }
                
    '@
    $Head = $HTMLstyle + $CSSStyle
    
    
    #write to host to user knows script is running
    Write-Host "Processing... Please wait ..."
    
    
    #filter the xml from operational log
    $FilterXML = @"
                  
                  
                  *[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=2003 or EventID=2004 or EventID=2005 or EventID=2100 or EventID=2101 or EventID=2102 or EventID=2105 or EventID=2106 or EventID=2103 or EventID=2104 or EventID=2107 or EventID=2108 or EventID=2109)]]
                  
                  
    "@
    #file://C:\Users\David\OneDrive\Powershell Scripts\Events Log - System - Devices Connected\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx
    
    
    $USBevents = Get-WinEvent -Filterxml $FilterXML
    
    
    #pull filtered data from xml
    If($USBevents) {
                   $XMLUSBresults = ForEach($USBevent in $USBevents) {
                                                                     $xmlUSB = $USBevent.ToXml()
                                                                     $USBUMDF = (Select-Xml -Content $xmlUSB -Namespace $ns -XPath $UMDF_xpath).Node.'#text'
                                                                     Break            
                                                                     $USBsid = (Select-Xml -Content $xmlUSB -Namespace $ns -XPath $usersid_xpath).Node.'#text'
                                                                     Break
                                                                     $USBComp = (Select-Xml -Content $xmlUSB -Namespace $ns -XPath $ComputerID_xpath).Node.'#text'
                                                                     #Translates needed to make usernames readablefrom SID to USER
                                                                     $USBuser = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $USBsid).Translate([System.Security.Principal.NTAccount]).Value
                                                                     Break
                                                                     }
                   New-Object -TypeName PSObject -Property @{
                                                            Time = $USBevent.TimeCreated
                                                            Computer = $USBComp
                                                            User = $USBsid
                                                            Id   = $USBevent.Id
                                                            Message = $type_lu[$USBevent.Id]
                                                            }
                  #convert results to a html file
                  If($XMLUSBresults) {
                       $XMLUSBresults | Sort Time -Descending | ConvertTo-Html -head $Head -body $HTMLbodySEC | Set-Content $USBresults
                       }
                  }
    
    
    #show success for user
    Write-Host "USB devices logfile Success."
    #open the created html file
    Invoke-Item $USBresults
    

    Here's a copy of the XML I am trying to pull this information from

    Log Name:      Microsoft-Windows-DriverFrameworks-UserMode/Operational
    Source:        Microsoft-Windows-DriverFrameworks-UserMode
    Date:          08/07/2017 20:59:02
    Event ID:      2100
    Task Category: Pnp or Power Management operation to a particular device.
    Level:         Information
    Keywords:      
    User:          LOCAL SERVICE
    Computer:      DavidClient
    Description:
    Received a Pnp or Power operation (22, 2) for device SWD\WPDBUSENUM\{72D37FD9-05B1-11E6-8253-001A7DDA7113}#0000000000007E00.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}" />
        <EventID>2100</EventID>
        <Version>1</Version>
        <Level>4</Level>
        <Task>37</Task>
        <Opcode>1</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-07-08T19:59:02.925841500Z" />
        <EventRecordID>240</EventRecordID>
        <Correlation />
        <Execution ProcessID="2012" ThreadID="2496" />
        <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
        <Computer>DavidClient</Computer>
        <Security UserID="S-1-5-19" />
      </System>
      <UserData>
        <UMDFHostDeviceRequest instance="SWD\WPDBUSENUM\{72D37FD9-05B1-11E6-8253-001A7DDA7113}#0000000000007E00" lifetime="{9A4B17EA-9EC2-4A46-BE0B-480915F9A030}" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
          <Request major="22" minor="2">
            <Argument>0x51100</Argument>
            <Argument>0x200000001</Argument>
            <Argument>0x0</Argument>
            <Argument>0x0</Argument>
          </Request>
          <Status>3221225659</Status>
        </UMDFHostDeviceRequest>
      </UserData>
    </Event>

    Currently I'm failing to retrieve the 'Computer' and 'User' which are returning only as all blank.

    I suspect I've got the following lines incorrect, but cant find the right solution. I've been trying to add system or without it but with no joy

    $ComputerID_xpath = "//ns:[@Name='Computer']"
    $usersid_xpath = "//ns:System[@Name='Security UserID']"


    Ideas anyone?

    Saturday, July 22, 2017 8:28 PM

Answers

  • You are still not following my example:

    $filter = @{
    	Logname  = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
    	Level    = 0, 1, 2, 3, 4, 5
    	ID	     = 2003, 2004, 2005, 2100, 2101, 2102, 2103, 2104, 2105, 2106, 2107, 2108, 2109
    }
    Get-WinEvent $filter
    $events = Get-WinEvent $filter | ForEach-Object{ $_.ToXml() }
    [xml]$xml = '<Events>' + $events + '</Events>'
    $xml.Events.Event.System | 
    	Select-Object computer, eventid


    \_(ツ)_/

    • Marked as answer by davidmower84 Sunday, August 6, 2017 6:44 PM
    Sunday, August 6, 2017 4:27 PM
    Moderator

All replies

  • Run the following to understand how these events works and to see what is available.

    $filter = @{
    	Logname = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
    	Level = 0,1,2,3,4,5
    	ID = 2003,2004,2005,2100,2101,2102,2103,2104,2105,2106,2107,2108,2109
    }
    Get-WinEvent $filter
    $events = Get-WinEvent $filter | ForEach-Object{ $_.ToXml() }
    [xml]$xml = '<Events>' + $events + '</Events>'
    $xml.Events.Event.System
    $xml.Events.Event.UserData.UMDFHostDeviceRequest.Request


    \_(ツ)_/


    Saturday, July 22, 2017 9:09 PM
    Moderator
  • This is the full schema for all events for this provider.

    Log Name:      Microsoft-Windows-DriverFrameworks-UserMode/Operational
    Source:        Microsoft-Windows-DriverFrameworks-UserMode
    Date:          7/22/2017 5:01:03 PM
    Event ID:      2003
    Task Category: Loading drivers to control a newly discovered device.
    Level:         Information
    Keywords:      
    User:          LOCAL SERVICE
    Computer:      ALPHA
    Description:
    The UMDF Host Process ({5b5cb3fd-bda8-42e0-8dcd-50a1fd1fa199}) has been asked to load drivers for device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_LEXAR&PROD_DIGITAL_FILM&REV_#W1.#______________0302080000002D74AE7900000000000&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2E35AAEB-857F-4BEB-A418-2E6C0E54D988}" />
        <EventID>2003</EventID>
        <Version>1</Version>
        <Level>4</Level>
        <Task>33</Task>
        <Opcode>1</Opcode>
        <Keywords>0x8000000000000000</Keywords>
        <TimeCreated SystemTime="2017-07-22T21:01:03.421562800Z" />
        <EventRecordID>65</EventRecordID>
        <Correlation />
        <Execution ProcessID="5420" ThreadID="4108" />
        <Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
        <Computer>ALPHA</Computer>
        <Security UserID="S-1-5-19" />
      </System>
      <UserData>
        <UMDFHostDeviceArrivalBegin instance="SWD\WPDBUSENUM\_??_USBSTOR#DISK&amp;VEN_LEXAR&amp;PROD_DIGITAL_FILM&amp;REV_#W1.#______________0302080000002D74AE7900000000000&amp;0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}" lifetime="{5B5CB3FD-BDA8-42E0-8DCD-50A1FD1FA199}" xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
        </UMDFHostDeviceArrivalBegin>
      </UserData>
    </Event>

    User is not part of the event XML.  Computer is here:

    $xml.Events.Event.System.Computer

    Different USB drivers may add more attributes into UserData.

    The UserID (SID) is here:

    $xml.Events.Event.SyStem.Security.UserId


    \_(ツ)_/


    Saturday, July 22, 2017 9:17 PM
    Moderator
  • $USBevents = Get-WinEvent -Filterxml $FilterXML #| ForEach-Object{ $_.ToXml() }
    
    
    
    If($USBevents) {
                   $XMLUSBresults = ForEach($USBevent in $USBevents) {
                                                                $xmlUSB = $USBevent.ToXml()
                                                                        [xml]$xml = '<Events>' +$USBEvents + '</Events>'
    
                                                                        Switch -Regex ($USBevent.Id) {
                                                                        '4...' {
                                                                        $USBComp = ($xml.Events.Event.System.Computer)
                                                                        BREAK
                                                                        }
                                                                        '7...' {
                                                                        $USBeventID = ($xml.Events.Event.System.EventID)
                                                                        BREAK
                                                                        }
                                                                        '10...' {
                                                                        $USBsid = ($xml.Events.Event.System.Security.UserID)
                                                                        #Translates needed to make usernames readablefrom SID to USER
                                                                        #$USBUserID = (
                                                                        #    New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $USBsid).Translate([System.Security.Principal.NTAccount]).Value
                                                                        BREAK
                                                                        }
                                                                        '13...' {
                                                                        $USBUMDF = ($xml.Events.Event.UserData.UMDFHostDeviceRequest.Request)
                                                                        BREAK
                                                                        }
                                                                     }
    
                   New-Object -TypeName PSObject -Property @{
                                                            #Time = $USBevent.TimeCreated
                                                            Computer = ($USBComp | Out-String).Trim()
                                                            User = ($USBsid | Out-String).Trim()
                                                            EventId   = ($USBeventID | Out-String).Trim() #.Id
                                                            UMDF = ($USBUMDF | Out-String).Trim()
                                                            #Message = $type_lu[$USBevent.Id]
                                                            }
                }
    
        #convert results to a html file
        If($XMLUSBresults) {
            $XMLUSBresults | Sort Time -Descending | ConvertTo-Html -head $Head -body $HTMLbodySEC | Set-Content $USBresults
                          }
    }

    Thank you for yor advice, the above is working but I'm quite able to seperate the resulst as I'd like.

    The Variables $USBComp, $USBsid, $USDeventID and $USBUMDF each contain all of the values, rather than just the 1 from that event.

    I've tried seperating them by using a ForEach() and making the results a New-Object. Am I approaching this the wrong way?

    Also if I uncomment the .translate $USBUserID line then this doesn't give the Username as predicated? But it blank instead?

    Thursday, July 27, 2017 9:46 PM
  • You must process events one at a time and not as a collection.

    Create a new object for each event.


    \_(ツ)_/

    Thursday, July 27, 2017 9:56 PM
    Moderator
  • Thank you for your advice. I'm now processing each seperately which is giving better results.

    #xml query from operational log
    $FilterXML = @"
                  <QueryList>
                  <Query Id="0" Path="file://$USBlog">
                  <Select Path="file://$USBlog">*[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=2003 or EventID=2004 or EventID=2005 or EventID=2100 or EventID=2101 or EventID=2102 or EventID=2105 or EventID=2106 or EventID=2103 or EventID=2104 or EventID=2107 or EventID=2108 or EventID=2109)]]
                  </Select>
                  </Query>
                  </QueryList>
    "@
    
    
    #$USB = Get-WinEvent $FilterXML
    $USBevents = Get-WinEvent -Filterxml $FilterXML | ForEach-Object{ $_.ToXml() }
    [xml]$xml = '<Events>' +$USBEvents + '</Events>'
    
    
    #convert Computer into seperate objects
    If($USBevents) {
                    $USBComps = $xml.Events.Event.System.Computer
                        ForEach($USBComp in $USBComps){
                            $USBall += New-Object -TypeName PSObject -Property @{
                                                                      Computer = $USBComp
                                                                     }
                                                      }
                   }
    
    
    #convert EventID into seperate objects
    If($USBevents) {
                    $USBeventIDs = ($xml.Events.Event.System.EventID)
                        ForEach($USBeventID in $USBeventIDs){
                            $USBall += New-Object -TypeName PSObject -Property @{
                                                                      EventID = $USBeventID
                                                                     }
                                                            }
                   }
    
    
    #Put variables into one table
    $USBdevices | Select Computer,EventID
    
    
    #convert results to a html file
    If($USBdevices) {
                    $USBdevices | ConvertTo-Html -head $Head -body $HTMLbodySEC | Set-Content $USBresults
                    }
                          
    
    #open the created html file
    Invoke-Item $USBresults

    I'm able to get the Computer and EventID as lists of data when I check the variables $USBComps and $USBeventIDS just as I wanted.

    I need to now add these columns together and export them in a table as .html

    Which this part of the script is for

    #Put variables into one table
    $USBdevices | Select Computer,EventID
    
    
    #convert results to a html file
    If($USBdevices) {
                    $USBdevices | ConvertTo-Html -head $Head -body $HTMLbodySEC | Set-Content $USBresults
                    

    but the results are not as expected from this

    $USBall lists all the computers, followed by a list of blanks that should be the eventID's

    $USBdevices is empty, when I wanted this to select 2 columns as data Computer and EventID

    Why is it that $USBEventID and $USBEventIDS are correct, but $USBall is blank? Thanks again

    Monday, July 31, 2017 7:46 PM
  • You will need to learn how to use a computed "select-Object" command to create the custom objects that you wish to convert.  You have copied y9our method form somewhere but it is not the correct way of selecting objecgts.

    See: help Select-Object -Full


    \_(ツ)_/

    Monday, July 31, 2017 7:50 PM
    Moderator
  • I've made some changes as recommended. $OutputItem is a PSCustomerObject containing .Computer and .EventID Properties.

    #$USB = Get-WinEvent $FilterXML
    $USBevents = Get-WinEvent -Filterxml $FilterXML | ForEach-Object{ $_.ToXml() }
    [xml]$xml = '<Events>' +$USBEvents + '</Events>'
    
    
    #convert Computer into seperate objects
    If($USBevents) {
                        $Comps = $xml.Events.Event.System.Computer
                        $OutputItem = ForEach($Comp in $Comps){
                                                [PSCustomObject]@{
                                                                Computer = $Comp
                                                                EventID  = ""
                                                                }
                                                }
                   }
    
    
    #convert EventID into seperate objects
    If($USBevents) {
                        $USBeventIDs = $xml.Events.Event.System.EventID
                        $OutputItem += ForEach($USBeventID in $USBeventIDs){
                                                           [PSCustomObject]@{
                                                                            Computer = ""
                                                                            EventID  = $USBeventID
                                                                            }
                                                            }
                   }
    
    
    #convert results to a html file
    $OutputItem | ConvertTo-Html -head $Head -body $HTMLbodysec | Set-Content $Results

    $Output returns the following

    Computer    EventID
    --------    -------
    DavidClient        
    DavidClient        
    DavidClient        
    DavidClient        
    DavidClient        
                         2102   
                         2100   
                         2102   
                         2100   
                         2102   
               
              
    So I now have $OutputItem containing all the required data and in the correct format as well. The issue now is that it's adding the data on to each other, rather than combining the data together?

    Tuesday, August 1, 2017 9:59 PM
  • No.  You have to enumerate the events nd convert each event into a custom object.

    $xml.Events.Event |
          ForEach-Object{
                # create object nd assign all properties you want to it.
          }
    In your code you are just playing with pieces with no connection.  You have to do all of each event at the same time all in thee same loop.


    \_(ツ)_/

    Tuesday, August 1, 2017 10:21 PM
    Moderator
  • #$USB = Get-WinEvent $FilterXML
    $USBevents = Get-WinEvent -Filterxml $FilterXML | ForEach-Object{ $_.ToXml() }
    [xml]$xml = '<Events>' +$USBEvents + '</Events>'
    
    
    $xml.Events.Event |
    ForEach-Object
    {
        $OutputEvent = New-Object System.Object
        $OutputEvent | Add-Member -type NoteProperty -name "Computer" -Value $xml.Events.Event.System.Computer
        $OutputEvent | Add-Member -type NoteProperty -name "EventID" -Value $xml.Events.Event.System.EventID
        $outputEvents += $outputEvent 
    }

    I've been looking at the changes you suggest to grab all the data in the same loop as above.

    Output from this

    PS C:\WINDOWS\system32> $OutputEvents
    
    Computer                                                EventID                    
    --------                                                -------                    
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    {DavidClient, DavidClient, DavidClient, DavidClient...} {2102, 2100, 2102, 2100...}
    So it's picking up the whole of $xml.Events.Event.System.Computer ratherthan the for-each that I was expecting?

    Sunday, August 6, 2017 10:32 AM
  • You are still not following my example:

    $filter = @{
    	Logname  = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
    	Level    = 0, 1, 2, 3, 4, 5
    	ID	     = 2003, 2004, 2005, 2100, 2101, 2102, 2103, 2104, 2105, 2106, 2107, 2108, 2109
    }
    Get-WinEvent $filter
    $events = Get-WinEvent $filter | ForEach-Object{ $_.ToXml() }
    [xml]$xml = '<Events>' + $events + '</Events>'
    $xml.Events.Event.System | 
    	Select-Object computer, eventid


    \_(ツ)_/

    • Marked as answer by davidmower84 Sunday, August 6, 2017 6:44 PM
    Sunday, August 6, 2017 4:27 PM
    Moderator
  • Thank you again, that makes sense and seems simple compared to the way I was approaching this.

    This is where I am now:

    $filter = @{ Logname = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational' Level = 0, 1, 2, 3, 4, 5 ID = 2003, 2004, 2005, 2100, 2101, 2102, 2103, 2104, 2105, 2106, 2107, 2108, 2109 } #Get-WinEvent $filter $events = Get-WinEvent $filter | ForEach-Object{ $_.ToXml() } [xml]$xml = '<Events>' + $events + '</Events>' #set the columns data $TimeGenerated = @{ label='Time Created'; Expression={get-date $_.System.TimeCreated.SystemTime -format g} } $EventID = @{ label='EventID'; Expression={$_.System.EventID} } #Gives Event ID a meaningful descripton $EventName = @{ label='Event Name'; Expression={$EventConv[$_.System.EventID]} } $Computer = @{ label='Computer'; Expression={$_.System.Computer} } $SUserID = @{ label='S UserID'; Expression={$_.System.Security.UserID} } #Translates needed to make usernames readablefrom SID to USER $SecurityUserID = @{ label='Security UserID'; Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.System.Security.UserID)).Translate([System.Security.Principal.NTAccount])).Value}} $EventRecordID = @{ label='Event RecordID'; Expression={$_.System.EventRecordID} } $UMDFHostDeviceRequestInstance = @{ label='UMDF Host Device Request'; Expression={$_.UserData.UMDFHostDeviceRequest.instance} }

    $outputEvents = $xml.Events.Event |
        Select-Object $TimeGenerated, $EventID, $EventName, $Computer, $SUserID, $SecurityUserID, $EventRecordID, $UMDFHostDeviceRequestInstance

    Which yields the following results

    Time Created             : 07/08/2017 14:23
    EventID                  : 2105
    Event Name               : 
    Computer                 : DavidClient
    S UserID                 : S-1-5-19
    Security UserID          : NT AUTHORITY\LOCAL SERVICE
    Event RecordID           : 6008
    UMDF Host Device Request : SWD\WPDBUSENUM\{72D37D04-05B1-11E6-8253-001A7DDA7113}#000000000810
                               0000
    
    Time Created             : 07/08/2017 14:23
    EventID                  : 2100
    Event Name               : 
    Computer                 : DavidClient
    S UserID                 : S-1-5-19
    Security UserID          : NT AUTHORITY\LOCAL SERVICE
    Event RecordID           : 6007
    UMDF Host Device Request : SWD\WPDBUSENUM\{72D37D04-05B1-11E6-8253-001A7DDA7113}#000000000810
                               0000

    The $EventName is returning as Null, when I am trying to the the EventID a description using the $EventConv

    $EventConv =@{2003 = 'Query to load USB Drivers'
                2004 = 'Loading Drivers for new Device'
                2005 = 'Loading Drivers for new Device'
                2100 = 'Power Operation for USB Device'
                2101 = 'Power Operation for USB Device'
                2102 = 'Power Operation for USB Device'
                2105 = 'Power Operation for USB Device'
                2106 = 'Power Operation for USB Device'
                2103 = 'Error for Power Operation for USB Device'
                2104 = 'USB Device Power Event'
                2107 = 'USB Device Power Event'
                2108 = 'USB Device Power Event'
                2109 = 'USB Device Power Event'
                }

    but that's not working yet.

    Also I'm trying to convert the SID to the UserID which currently results with NT AUTHORITY\LOCAL SERVICE instead of what I would expect to work, with this:

    $SecurityUserID = @{ label='Security UserID'; Expression={((New-Object System.Security.Principal.SecurityIdentifier($_.System.Security.UserID)).Translate([System.Security.Principal.NTAccount])).Value}}


    Monday, August 7, 2017 8:07 PM
  • You don't need to specify "Level" if you want all levels.  All levels are returned by default.

    UserID is always the service account for these events.

    $EventConv = @{n='Event';e={
    		switch ($_.System.EventID){
    			2003 {'Query to load USB Drivers'}
    			2004 {'Loading Drivers for new Device'}
    			2005 {'Loading Drivers for new Device'}
    			2100 {'Power Operation for USB Device'}
    			2101 {'Power Operation for USB Device'}
    			2102 {'Power Operation for USB Device'}
    			2105 {'Power Operation for USB Device'}
    			2106 {'Power Operation for USB Device'}
    			2103 {'Error for Power Operation for USB Device'}
    			2104 {'USB Device Power Event'}
    			2107 {'USB Device Power Event'}
    			2108 {'USB Device Power Event'}
    			2109 {'USB Device Power Event'}
    			default {'Unknown'}
    		}
    	}
    }


    \_(ツ)_/



    Monday, August 7, 2017 8:14 PM
    Moderator
  • This is easier to maintain and understand:

    $select = @(
    	@{ n = 'Time Created'; e = { get-date $_.System.TimeCreated.SystemTime -format g } },
    	@{ n = 'EventID'; e = { $_.System.EventID } },
    	@{ n = 'Event'; e = {
    			switch ($_.System.EventID) {
    				2003 { 'Query to load USB Drivers' }
    				2004 { 'Loading Drivers for new Device' }
    				2005 { 'Loading Drivers for new Device' }
    				2100 { 'Power Operation for USB Device' }
    				2101 { 'Power Operation for USB Device' }
    				2102 { 'Power Operation for USB Device' }
    				2105 { 'Power Operation for USB Device' }
    				2106 { 'Power Operation for USB Device' }
    				2103 { 'Error for Power Operation for USB Device' }
    				2104 { 'USB Device Power Event' }
    				2107 { 'USB Device Power Event' }
    				2108 { 'USB Device Power Event' }
    				2109 { 'USB Device Power Event' }
    				default { 'Unknown' }
    			}
    		}
    	},	
    	@{ n = 'Computer'; e = { $_.System.Computer } },
    	@{ n = 'UserID'; e = { $_.System.Security.UserID } },
    	@{ n = 'Security UserID'; e = { ((New-Object System.Security.Principal.SecurityIdentifier($_.System.Security.UserID)).Translate([System.Security.Principal.NTAccount])).Value } },
    	@{ n = 'Event RecordID'; e = { $_.System.EventRecordID } },
    	@{ n = 'UMDF Host Device Request'; e = { $_.UserData.UMDFHostDeviceRequest.instance } }
    )
    $xml.Events.Event | Select-Object $select


    \_(ツ)_/


    Monday, August 7, 2017 8:30 PM
    Moderator
  • @{ n = 'Security UserID'; e = { ((New-Object System.Security.Principal.SecurityIdentifier($_.System.Security.UserID)).Translate([System.Security.Principal.NTAccount])).Value } },

    That is amazing, setting it out in that way makes it very clear, what is happening.

    The above line isn't converting the SID as I'd expect.

    $xml.Events.Event.System.Security.UserID

    This produces all the SIDs in the format I'd expect.

    PS C:\WINDOWS\system32> $xml.Events.Event.System.Security.UserID
    S-1-5-19
    S-1-5-19
    S-1-5-19
    S-1-5-19
    S-1-5-19

    which I should be able to covert. Do you think

    $xml.Events.Event.System.Security.UserID

    is not the object type it's expecting? The result i get for each is NT AUTHORITY\LOCAL SERVICE. Which are the wrong part of the results object that I'm looking for? I'm wodering if the variable needs a .SID for the results I'm looking for?


    Wednesday, August 9, 2017 8:26 PM
  • "Translate" cannot translate local SIDS.  The SID will always be the local system account so why translate it.  It serves no purpose.


    \_(ツ)_/

    Wednesday, August 9, 2017 8:29 PM
    Moderator