Windows Security Log Event ID 6424

Operating Systems Windows 2016 and 10
Category
 • Subcategory
Process Tracking
 • Plug and Play
Type Success
Corresponding events
in Windows 2003
and before
 
Discussions on Event ID 6424

6424: The installation of this device was allowed, after having previously been forbidden by policy

On this page

Microsoft says "This event occurs rarely, and in some situations may be difficult to reproduce."

Since we are Ultimate IT Security experts we were easily able to generate this event.

This event is generated when a certain combition of settings are configured for auditing.  In Local Computer Policy\Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions you will find these four settings (amongst others):

  • Prevent installation of removable devices
  • Prevent installation of devices using drivers that match these device setup classes
  • Prevent installation of devices that match any of these device IDs
  • Prevent installation of devices not described by other policy settings

One of these four settings must be configured and enabled in conjunction with the "Allow administrators to override Device Installation Restriction policies" which is found in the same location.

In order to see this event in the Security log, an adminstrator must open Device Manager and attempt to use the "Add hardware wizard" or the "Update Driver wizard" for a device that is specified in one of the previous four settings and also currently attached to the system and listed under "Other devices" in Device Manager.

These events are logged for all devices we tested – not just USB devices.

Free Security Log Resources by Randy

Description Fields in 6424

Subject:
Security ID: Domain\User performing the action.
Account Name: User performing the action.
Account Domain: Domain user belongs to.
Logon ID: Hexidecimal value of user

Device ID: ID of the device user attempted to disable.  In Device Manager you can find this listed as the "Device instance path" on the Details tab of the device.

Device Name: Name of device as it appears in Windows.  In Device Manager you can find this listed as the "Device description" on the Details tab of the device.

Class ID: GUID of the device as it appears in Windows.  In Device Manager you can find this listed as the "Class GUID" on the Details tab of the device.

Class Name: Class of the device as it appears in Windows. In Device Manager you can find this listed as the "Class" on the Details tab of the device.

Hardware IDs: List of IDs of the device as they appear in Windows.  In Device Manager you can find this listed as the "Hardware Ids" on the Details tab of the device.

Compatible IDs: List of Compatible IDs as they appear in Windows.  In Device Manager you can find this listed as the "Compatible Ids" on the Details tab of the device.

Location Information: Not always available.  This depends on the type of device.

Supercharger Free Edition


Your entire Windows Event Collection environment on a single pane of glass.

Free.

 

Examples of 6424

The installation of this device was allowed, after having previously been forbidden by policy.
Subject:
     Security ID: SYSTEM
     Account Name: DESKTOP-3PNSS2S$
     Account Domain: WORKGROUP
     Logon ID: 0x3E7
Device ID: PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000
Device Name: Disk drive
Class ID: {00000000-0000-0000-0000-000000000000}
Class Name:
Hardware IDs:
     RSPCIESTOR\GenDisk
     GenDisk
Compatible IDs:
     SCSI\Disk
Location Information: -

Keep me up-to-date on the Windows Security Log.
Email*:
*We will NOT share this

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection



 

Additional Resources