This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Community FAQ
Register | Log In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Reports & Analytics
- Re: Track USB Storage Devices connected to assets ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-31-2024 10:56 AM - last edited on ‎04-01-2024 12:23 PM by Mercedes_O
Hello team,
Is there any report available to track USB Storage disks activities? I mean when were being connected on assets, as well when they are disconnected?
We need a historical report, not only when the USB Storage disks were detected during the last scan.
Solved! Go to Solution.
Labels:
- Labels:
-
Finished Reports
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 06:56 AM
NG Query:
+ List AD Groups with prefix 'USB'
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged DescOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 07:29 AM - edited ‎02-01-2024 07:30 AM
I see that you have setting one scan per 20 days I suggest you change to 1 or 0!
18 REPLIES 18
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-02-2024 06:23 AM
I have tried to add link with USB Devices to show current inserted USB but it's time approximity:
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged,
tblUSBDevices.DeviceID
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
tblFloppyHist.InterfaceType = 'USB'
Left Join tblUSBDevices On tblAssets.AssetID = tblUSBDevices.AssetID
And tblFloppyHist.Model = tblUSBDevices.name And
DateDiff(s, tblFloppyHist.Lastchanged, tblUSBDevices.lastchanged) Between
-15 And 15
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged Desc
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 02:33 PM
It's been a while, and I don't have time to check it out again, but we've been looking into this for some forensics, and came up with this PowerShell script (which you could use as a starting point to deploy and send the output to eg. an event instead of a txt file):
$logname = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
$log.IsEnabled = $true
$log.SaveChanges()
$rfile = "$env:temp\usbdevices.log"
if (Test-Path -Path $rfile) {Remove-Item $rfile}
else {New-Item -Path $rfile -ItemType File}
$events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DriverFrameworks-UserMode/Operational';id=2003,2102} | ForEach-Object {$_.toxml()}
[xml]$xmlleke = '<Events>' + $events + '</Events>'
$select = @(
@{ n = 'Time Created'; e = { get-date $_.System.TimeCreated.SystemTime -format g } },
@{ n = 'EventID'; e = { $_.System.EventID } },
@{ n = 'Event'; e = {
switch ($_.System.EventID) {
2003 { 'USB Device connected' }
2102 { 'USB Device disconnected' }
default { 'Unknown' }
}
}
},
@{ n = 'Computer'; e = { $_.System.Computer } },
@{ n = 'FriendlyName'; e = { $devUSB = ((($_.InnerText.Substring($_.InnerText.IndexOf('#') +1,($_.InnerText.LastIndexOf('#') - ($_.InnerText.IndexOf('#')) -1))).Replace('&','_')).Replace('#','\'));`
$rkey = "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\$devUSB";(Get-ItemProperty -Path $rkey | Select FriendlyName).FriendlyName.ToString()}}
)
$xmlleke.Events.Event | Select-Object $select -Unique | Out-File -FilePath $rfile
notepad $rfileI think that you just need to enable this "Microsoft-Windows-DriverFrameworks-UserMode" event logging (eg. through gpo).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎05-15-2025 05:50 AM
Now LS supports PNPSIGNEDDRIVERS so we can create report by your way:
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblUSBDevices.name,
tblUSBDevices.DeviceID As USBDeviceID,
tblPnPSignedDrivers.DeviceID As PNP_USBDeviceID,
tblUSBDevices.LastChanged As USBDevices_LastChanged,
tblFloppy.size,
tblFloppy.SerialNumber,
tblFloppy.Lastchanged As Floppy_Lastchanged
From tblFloppy
Inner Join tblUSBDevices On tblFloppy.AssetID = tblUSBDevices.AssetID And
tblFloppy.Model = tblUSBDevices.name And tblFloppy.Size > 0
Inner Join tblAssets On tblAssets.AssetID = tblFloppy.AssetID
Left Join tblPnPSignedDrivers On
tblAssets.AssetID = tblPnPSignedDrivers.AssetID And
tblPnPSignedDrivers.DeviceID Like 'usbstor%' + tblUSBDevices.DeviceID +
'%'
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago
Hi Mister, can you share your experience with other USB devices by using PNPSIGNEDDRIVERS?
Thanks in advance
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
a month ago
You can use this template to create own reports:
Select Top 1000000 tblassets.AssetID,
tblassets.AssetName,
tblassets.IPAddress,
tblassets.Lastseen,
tblassets.Lasttried,
Coalesce(tblPnPSignedDrivers.FriendlyName, tblPnPSignedDriversUni.DeviceName,
'unknown') As name,
tblPnPSignedDrivers.Manufacturer,
tblPnPSignedDrivers.DeviceID
From tblassets
Inner Join tblPnPSignedDrivers On
tblassets.AssetID = tblPnPSignedDrivers.AssetID
Inner Join tblPnPSignedDriversUni On
tblPnPSignedDriversUni.PnPSignedDriverUniID =
tblPnPSignedDrivers.PnPSignedDriverUniID And
tblPnPSignedDriversUni.DeviceClass In ('DISKDRIVE', 'DISPLAY', 'IMAGE')Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
4 weeks ago
Great! Thank you for your help.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 06:56 AM
NG Query:
+ List AD Groups with prefix 'USB'
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged DescOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 07:25 AM
thank you for your support. Also tried this report but still it doesn't give me any results. Maybe I need to enable also something else in Scanned Item Interval or Registry Scanning?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 07:29 AM - edited ‎02-01-2024 07:30 AM
I see that you have setting one scan per 20 days I suggest you change to 1 or 0!
Reports & Analytics
Ask about reports you're interested in and share reports you've created. Subscribe to receive daily updates of reports shared in the Community.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Why can SNMPv3 not poll Cisco IOS XE devices for connected asset information? in Open Office Hours Q&A
- Lansweeper Not Detecting All Network Devices in General Discussions
- SNMP MAC address table switch incomplete for silent (listening) devices in General Discussions
- Wifi Scanning in General Discussions
- Lansweeper performing Remote PS when scanning targets in General Discussions
