Windows Security Log Event ID 6416

Operating Systems Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Process Tracking
 • Plug and Play
Type Success
Corresponding events
in Windows 2003
and before
 

6416: A new external device was recognized by the system.

On this page

Windows logs at least 1 of these events (observed 6 in the case of a USB flash drive) when you connect a new external device to the system. To determine the type of system look to the class GUID, or for more descriptive information, the Vendor and Compatible IDs. Note that this event is logged whenever you connect said device - even repeatedly; unlike other audit events that only log the very first time a given device is connected.

These events are logged for all devices we tested – not just USB devices.

Free Security Log Resources by Randy

Description Fields in 6416

Subject:

This is the normal subject info on all events but in this case is not important since on this event the subject will always be SYSTEM. Can't tell who actually plugged the device in.

  • Security ID: SYSTEM SID
  • Account Name: local computer name $
  • Account Domain: domain name of local computer
  • Logon ID as logged in 4624: should just be the hardcoded system logon session 0x3e7
  • Device ID: 
  • Device Name: examples: HID-compliant mouse, HID-compliant device, USB Input Device
  • Class ID:
  • Class Name: examples: HIDClass, Mouse

Vendor IDs:

Device types specified by vendor.  You can look up the VID at various USB ID databases on the web.

Compatible IDs:

Location Information:

Where (port) it was connected on the computer.  Sometimes just "-"

 

Setup PowerShell Audit Log Forwarding in 4 Minutes

 

Examples of 6416

A new external device was recognized by the system.
Subject:
   Security ID: SYSTEM
   Account Name: RFSOFFICEPC-249$
   Account Domain: LAB
   Logon ID: 0x3E7

Device ID: USB\VID_045E&PID_07A5\5&521a615&0&13

Device Name: Microsoft Mouse and Keyboard Detection Driver (USB)

Class ID: {36fc9e60-c465-11cf-8056-444553540000}

Class Name: USB

Vendor IDs:
   USB\VID_045E&PID_07A5&REV_0767
   USB\VID_045E&PID_07A5

Compatible IDs:
   USB\DevClass_00&SubClass_00&Prot_00
   USB\DevClass_00&SubClass_00
   USB\DevClass_00
   USB\COMPOSITE

Location Information:
   Port_#0013.Hub_#0002

Older version

A new external device was recognized by the system.
Subject:
   Security ID: SYSTEM
   Account Name: DESKTOP-TMO9MI9$
   Account Domain: WORKGROUP
   Logon ID: 0x3E7

Class ID: {4d36e967-e325-11ce-bfc1-08002be10318}

Vendor IDs:
   USBSTOR\DiskKingstonDT_Workspace____KS15
   USBSTOR\DiskKingstonDT_Workspace____
   USBSTOR\DiskKingston
   USBSTOR\KingstonDT_Workspace____K
   KingstonDT_Workspace____K
   USBSTOR\GenDisk
   GenDisk
  
Compatible IDs:
   USBSTOR\Disk
   USBSTOR\RAW
   GenDisk
  
Location Information:

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources