Windows Security Log Event ID 6424

6424: The installation of this device was allowed, after having previously been forbidden by policy

On this page

• Description of this event
• Field level details
• Examples
• Mini-seminars on this event

Microsoft says "This event occurs rarely, and in some situations may be difficult to reproduce."

Since we are Ultimate IT Security experts we were easily able to generate this event.

This event is generated when a certain combition of settings are configured for auditing.  In Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions you will find these four settings (amongst others):

• Prevent installation of removable devices
• Prevent installation of devices using drivers that match these device setup classes
• Prevent installation of devices that match any of these device IDs
• Prevent installation of devices not described by other policy settings

One of these four settings must be configured and enabled in conjunction with the "Allow administrators to override Device Installation Restriction policies" which is found in the same location.

In order to see this event in the Security log, an adminstrator must open Device Manager and attempt to use the "Add hardware wizard" or the "Update Driver wizard" for a device that is specified in one of the previous four settings and also currently attached to the system and listed under "Other devices" in Device Manager.

These events are logged for all devices we tested – not just USB devices.

Free Security Log Resources by Randy

• Free Security Log Quick Reference Chart
• Windows Event Collection: Supercharger Free Edtion
• Free Active Directory Change Auditing Solution
• Free Course: Security Log Secrets

Description Fields in 6424

Subject:
Security ID: Domain\User performing the action.
Account Name: User performing the action.
Account Domain: Domain user belongs to.
Logon ID: Hexidecimal value of user

Device ID: ID of the device user attempted to disable.  In Device Manager you can find this listed as the "Device instance path" on the Details tab of the device.

Device Name: Name of device as it appears in Windows.  In Device Manager you can find this listed as the "Device description" on the Details tab of the device.

Class ID: GUID of the device as it appears in Windows.  In Device Manager you can find this listed as the "Class GUID" on the Details tab of the device.

Class Name: Class of the device as it appears in Windows. In Device Manager you can find this listed as the "Class" on the Details tab of the device.

Hardware IDs: List of IDs of the device as they appear in Windows.  In Device Manager you can find this listed as the "Hardware Ids" on the Details tab of the device.

Compatible IDs: List of Compatible IDs as they appear in Windows.  In Device Manager you can find this listed as the "Compatible Ids" on the Details tab of the device.

Location Information: Not always available.  This depends on the type of device.

Supercharger Free Edition

Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

 

Upcoming Webinars Unpacking a Linux Supply Chain Compromise Using the Recently Published XZ Utils Backdoor as the Example Assessing the Security of Your Active Directory: User Accounts Anatomy of a Cloud Hack: The Cloudflare/Okta Compromise – A Story of Tokens, Lateral Movement, Persistence and the Salvation of Zero Trust and Hard MFA Tokens

Additional Resources

•	Event IDs
•	All Event IDs
•	Audit Policy