Windows Security Log Event ID 6416
Operating Systems |
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Process Tracking • Plug and Play |
Type
|
Success
|
Corresponding events
in Windows
2003 and before |
|
6416: A new external device was recognized by the system.
On this page
Windows logs at least 1 of these events (observed 6 in the case of a USB flash drive) when you connect a new external device to the system. To determine the type of system look to the class GUID, or for more descriptive information, the Vendor and Compatible IDs. Note that this event is logged whenever you connect said device - even repeatedly; unlike other audit events that only log the very first time a given device is connected.
These events are logged for all devices we tested – not just USB devices.
Free Security Log Resources by Randy
Subject:
This is the normal subject info on all events but in this case is not important since on this event the subject will always be SYSTEM. Can't tell who actually plugged the device in.
- Security ID: SYSTEM SID
- Account Name: local computer name $
- Account Domain: domain name of local computer
- Logon ID as logged in 4624: should just be the hardcoded system logon session 0x3e7
- Device ID:
- Device Name: examples: HID-compliant mouse, HID-compliant device, USB Input Device
- Class ID:
- Class Name: examples: HIDClass, Mouse
Vendor IDs:
Device types specified by vendor. You can look up the VID at various USB ID databases on the web.
Compatible IDs:
Location Information:
Where (port) it was connected on the computer. Sometimes just "-"
Setup PowerShell Audit Log Forwarding in 4 Minutes
A new external device was recognized by the system.
Subject:
Security ID: SYSTEM
Account Name: RFSOFFICEPC-249$
Account Domain: LAB
Logon ID: 0x3E7
Device ID: USB\VID_045E&PID_07A5\5&521a615&0&13
Device Name: Microsoft Mouse and Keyboard Detection Driver (USB)
Class ID: {36fc9e60-c465-11cf-8056-444553540000}
Class Name: USB
Vendor IDs:
USB\VID_045E&PID_07A5&REV_0767
USB\VID_045E&PID_07A5
Compatible IDs:
USB\DevClass_00&SubClass_00&Prot_00
USB\DevClass_00&SubClass_00
USB\DevClass_00
USB\COMPOSITE
Location Information:
Port_#0013.Hub_#0002
Older version
A new external device was recognized by the system.
Subject:
Security ID: SYSTEM
Account Name: DESKTOP-TMO9MI9$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Class ID: {4d36e967-e325-11ce-bfc1-08002be10318}
Vendor IDs:
USBSTOR\DiskKingstonDT_Workspace____KS15
USBSTOR\DiskKingstonDT_Workspace____
USBSTOR\DiskKingston
USBSTOR\KingstonDT_Workspace____K
KingstonDT_Workspace____K
USBSTOR\GenDisk
GenDisk
Compatible IDs:
USBSTOR\Disk
USBSTOR\RAW
GenDisk
Location Information:
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection