Are USB unplug events logged in Windows 7? (When was my mouse stolen?)

20

4

I know this sounds kind of ridiculous, but someone stole my mouse from my cubicle.. I came to work in the morning and was about to give my mouse a little shove to wake up the monitor, but it wasn't there!

I'm trying to figure out when this happened. I'm running Windows 7 and it's a USB mouse. I checked the event logs, but there doesn't seem to be any logs that might tell me what I'm looking for.

Is there any place where USB unplug events are logged?

pepsi

Posted 2011-03-29T14:25:32.223

Reputation: 305

Related question: 2014-12-08, Logging when someone connects or removes a USB device to/from a Windows machine

– StackzOfZtuff – 2016-01-27T11:24:03.490

Might be of help in the future.....https://www.eventtracker.com/blog/2014/june/tracking-removable-storage-with-the-windows-security-log/

– Moab – 2019-08-30T15:15:31.587

7My event log is called a security camera. – Bart Silverstrim – 2011-03-29T14:34:59.573

Do you turn off, or standby, your computer at night? – jscott – 2011-03-29T14:37:58.820

@jscott - Nope, always on so that I can remote in if needed – pepsi – 2011-03-29T15:03:26.713

3I generally find missing mice in the dryer. – GregD – 2011-03-29T15:12:37.920

Interesting questions. As far as your co-workers: totally lame. But I'd like to know the answer to this one. – Belmin Fernandez – 2011-03-29T18:42:21.907

2Set a trap, buy a hidden camera and a nicer mouse to temp the thief again. – Moab – 2011-03-29T20:46:10.297

2I love this question, would love to see it answered... – studiohack – 2011-03-30T21:10:23.713

3was the culprit ever caught? – Drew – 2011-11-09T06:37:11.057

1@AndrewHeath - Yes, I got a confession out of the intern I was mentoring :) And actually he didn't steal the mouse--he just hid it behind my workstation tower as a prank. It was still plugged in, so USB unplug logs wouldn't have helped anyway. – pepsi – 2013-03-20T18:12:18.333

Answers

5

There isn't a log of them unfortunately - those events are lost forever. I've always wanted a dmesg equivalent on Windows.

With Windows XP and earlier, you can use winmsd to produce a system configuration output, but in later versions it's been replaced with msinfo32 (GUI application that I'm not so sure about parsing the output of).

Both of those only give you point-in-time information though, so for mouse-theft detective work you'd need to be regularly logging the output of winmsd to a file. I must admit I'd personally go with the webcam suggestion in the future.

Simon

Posted 2011-03-29T14:25:32.223

Reputation: 4 232

2

Actually, there is a log file for this. It's called Microsoft-Windows-DriverFrameworks-UserMode-Operational.evtx but it's disabled by default on Win10.

– StackzOfZtuff – 2016-01-27T11:29:06.220

But is it "possible" for a Windows program to do it? Or is the functionality just not available in Windows (so programs do not have the capability to do so)? – Pacerier – 2012-07-05T13:11:04.703

8

It might be too late now, but there ARE a couple pieces of software that will do exactly that. The easiest one to use being USBLogView

Other options, not so friendly, are the Windows USB Storage Parser or Microsoft's USBView (UVCView on Win7), that ships with the Windows Driver Kit (WDK).

If you really want to get your hands dirty, open RegEdit and look for the following entries:

Description: List of Installed USB devices, both connected and unconnected Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB Why you care: It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. Think how useful it can be to help tie something a user physical possesses to a box.

Description: List of installed USB storage devices Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR Why you care: Much like the installed USB devices entry, but just for USB storage. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not USBSTOR when I tested last.

Gaia

Posted 2011-03-29T14:25:32.223

Reputation: 4 549

1Monitoring those keys with Procmon.exe from SysInternals did exactly what I needed. – Doug Wilson – 2019-05-19T16:48:25.597

Asked: 2011-03-29T14:25:32.223

Viewed: 19 680 times

Active: 2019-09-10T17:18:14.993