Know if a USB is inserted into your Pc(Windows 10)
Worried if someone at your home or office is using a USB Storage device to transfer your data? In order to track if there is any activity follow those steps:
1- Enable the USB Logging option by accessing the Event Viewer:
a- Click on the Start Menu, Type Event Viewer
b-Expand Applications and Services Logs
c- Expand Microsoft/Windows/DriverFrameworks-UserMode/ and click on Operational
d- Right-click Operational on the menu click Enable Log, this will enable the logging in the Operational folder.
2- Now After you insert the USB open the Operational Folder and see the logs as below:
Information and verbose Level Logs are created each event has an Id for example in the above example the first log which indicate that a USB is inserted has an ID of 2003, Logged at 01/17/2020 12:16:15 AM and in the General tab, you can see the USB model number(SANDISK CRUZER BLADE) and its Unique serial number in the last line between {}(#{53F56307-B6BF-11D0–94F2–00A0C91EFB8B})
When a USB flash drive is connected, the first registered event record is Event ID 2003. So by perceiving the date and time stamp assigned to an Event ID 2003 record, you can tell accurately when a USB flash drive was attached to the system.
When a USB flash drive is disconnected, you seek for Event ID 2102 so you can know when it was removed:
3- Create your own view in the Event viewer to get things easier:
As we can see in the Operational folder lots of lines with lots of event viewer IDs are created which makes us get more time to seek the 2003 and 2102 IDs, in order to solve this issue we can create a custom view as follow:
a- In the Actions panel on the right click on create on Custom view
b- Click on By Log and choose Microsoft-Windows-DriverFrameworks-UserMode/Operational if it’s not chosen by default
c- Replace <All Event IDs> with 2003,2102 then click ok to create the view:
d- Fill the Name of your filter then click ok:
e- Now you can open the custom view in Custom Views folder and see the events in chronological order and you can see when exactly a USB was connected and when it was disconnected:
f- If you discover an Event ID 2003 event record for a specific USB flash drive but don’t find a corresponding Event ID 2102 event record, that either indicates that the USB flash drive is still connected to the system or the system was shut down before the device was removed. The latter makes tracking a disconnect event a bit more tricky, but not impossible. You can investigate recent shutdowns as a means of determining when a USB flash drive was disconnected. You can track recent shutdowns by creating a Custom View and specifying Windows > System as the Event log, User32 as the Event source, and 1074 as the Event ID.
That’s all for this post if you have any question please write it in the comment and I will try my best to answer.
