How to monitor USB activity is an important issue for many computer users, especially when they want to protect their personal or business data. USB flash drives can also be lost, stolen, copied or secretly deleted by bad actors. Therefore, monitoring USB activity will help you control what happens to your device, detect and promptly prevent violations of privacy and security.
Join the channel Telegram belong to AnonyViet đ Link đ |
Why is it necessary to monitor USB flash drive activity on Windows 10?
Event Viewer is a system management tool built into Windows 10. It allows you to view events related to system activity, applications, services and external devices. Because . Using Event Viewer, you can resolve problems, test performance, monitor activity, and control your computer’s security.
USB flash drive is a portable, compact and convenient storage device. It can contain many types of data such as documents, images, videos, audio, software and operating systems. USB flash drives come in many different types of capacity, speed, size and design. You can use them to copy, transfer, backup and restore data quickly and easily.
However, USB flash drives can also pose risks to your computer’s security and privacy. For example, if you expose your USB flash drive to others, they can copy or delete your data without permission. Or if you plug someone else’s USB into your computer, you could be infected with a virus or malicious code from that device.
Therefore, monitoring USB flash drive activity on Windows 10 is very important to protect your computer and data.
How to monitor USB activity using Event Viewer
How to enable tracking
Step 1: Click Start > Type âEvent Viewerâ > Click on the displayed result
As soon as the tool launches, you will see the âOverview And Summaryâ panel displaying a list of the most recent events collected from all logs.
Step 2: Then you need to enable it by going to Application and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode
Step 3: Right click on âOperationalâ , select âPropertiesâ from the context menu.
Step 4: When the Log Properties â Operational dialog box appears, check the box âEnable Loggingâ > OK
Step 5: Event Viewer will monitor USB flash drive related activities at:
Application and Services Logs > Microsoft > Windows > DriverFrameworks-UserMode > Operational
How to monitor USB connections
When you connect USB to your system, some event logs will be created in the âOperational Logâ section. These logs will include the following Event IDs:
- 2003
- 2004
- 2006
- 2010
- 2100
- 2101
- 2105
- 2106
As you can see, the first few event logs are related to loading the driver for the USB flash drive. The rest of the logs are related to pnp (Plug-and-Play) or Power Management operations that make the drive ready to operate in Windows 10.
Each event log has specific Date and Time information, corresponding to when the USB was connected to the system. USB connection generates 16 event logs. Fortunately, all records were created at the same time, and the majority of records contained unique serial numbers.
When USB is connected, the first recorded event log is Event ID 2003. So, by the date and time information next to Event ID 2003, you can know exactly when the USB flash drive was connected to the system. system. Then if you open the Event ID 2003 record you can find all the information like:
- Green part: Shows the encrypted name for the device
USBSTOR#DISK indicates this is a USB flash drive
VEN_SANDISK&PROD_ULTRA indicates that this is a Sandisk Ultra 3.0 USB flash drive.
- Yellow part: Device’s unique serial number.
- Orange part: Displays the date and time the USB is connected to the system.
How to monitor USB disconnections
When you unplug or disconnect a USB device, several event logs are created in the âOperational Logâ called:
These event logs also contain the date and time along with the device’s unique serial number. Even though there are multiple records for a disconnection, the event ID is unique. Thus, by investigating the Event ID 2102 record, you can find out exactly when a specific device was disconnected from the system.
How to create Custom Views
Over time, the connection and disconnection of many USB devices will cause the Operational Log to contain a lot of records. Therefore, to easily monitor Event ID 2003 and Event ID 2102 event logs, you can create a âCustom Viewâ
Step 1: Select Action tab > Select âCreate Custom Viewâ
Step 2: Check the âInformationâ box in the Event Level section
Step 3: Enter 2003, 2102 in the box as shown above> Click OK
Step 4: Enter a name then click OK
Now, to access Custom View, just click on the name you saved earlier. The interface will only display the event logs you want to monitor. Looks very neat, right!
Additionally, you can categorize and easily identify connection and disconnection events, by selecting the View tab > Group By > Event ID
If you find an Event ID 2003 event record for a USB flash drive but do not find the corresponding Event ID 2102 event record, it means that the USB is still attached to the system or the system was turned off before device is deleted.
You can investigate recent shutdowns as a way to determine when the USB disconnected. You can track recent shutdowns by creating a Custom View, setting the Event log to Windows > System and specifying the Event source as User32, Event ID as 1074.
Epilogue
In this article, I have guided you How to monitor USB activity on Windows 10 using Event Viewer. You can apply these steps to test, fix, or investigate USB-related issues. Good luck!