This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Community FAQ
Register | Log In
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Reports & Analytics
- Re: Track USB Storage Devices connected to assets ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-31-2024 10:56 AM - last edited on ‎04-01-2024 12:23 PM by Mercedes_O
Hello team,
Is there any report available to track USB Storage disks activities? I mean when were being connected on assets, as well when they are disconnected?
We need a historical report, not only when the USB Storage disks were detected during the last scan.
Solved! Go to Solution.
Labels:
- Labels:
-
Finished Reports
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 06:56 AM
NG Query:
+ List AD Groups with prefix 'USB'
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged DescOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 07:29 AM - edited ‎02-01-2024 07:30 AM
I see that you have setting one scan per 20 days I suggest you change to 1 or 0!
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-02-2024 06:23 AM
I have tried to add link with USB Devices to show current inserted USB but it's time approximity:
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged,
tblUSBDevices.DeviceID
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
tblFloppyHist.InterfaceType = 'USB'
Left Join tblUSBDevices On tblAssets.AssetID = tblUSBDevices.AssetID
And tblFloppyHist.Model = tblUSBDevices.name And
DateDiff(s, tblFloppyHist.Lastchanged, tblUSBDevices.lastchanged) Between
-15 And 15
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged Desc
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 02:33 PM
It's been a while, and I don't have time to check it out again, but we've been looking into this for some forensics, and came up with this PowerShell script (which you could use as a starting point to deploy and send the output to eg. an event instead of a txt file):
$logname = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
$log.IsEnabled = $true
$log.SaveChanges()
$rfile = "$env:temp\usbdevices.log"
if (Test-Path -Path $rfile) {Remove-Item $rfile}
else {New-Item -Path $rfile -ItemType File}
$events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DriverFrameworks-UserMode/Operational';id=2003,2102} | ForEach-Object {$_.toxml()}
[xml]$xmlleke = '<Events>' + $events + '</Events>'
$select = @(
@{ n = 'Time Created'; e = { get-date $_.System.TimeCreated.SystemTime -format g } },
@{ n = 'EventID'; e = { $_.System.EventID } },
@{ n = 'Event'; e = {
switch ($_.System.EventID) {
2003 { 'USB Device connected' }
2102 { 'USB Device disconnected' }
default { 'Unknown' }
}
}
},
@{ n = 'Computer'; e = { $_.System.Computer } },
@{ n = 'FriendlyName'; e = { $devUSB = ((($_.InnerText.Substring($_.InnerText.IndexOf('#') +1,($_.InnerText.LastIndexOf('#') - ($_.InnerText.IndexOf('#')) -1))).Replace('&','_')).Replace('#','\'));`
$rkey = "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\$devUSB";(Get-ItemProperty -Path $rkey | Select FriendlyName).FriendlyName.ToString()}}
)
$xmlleke.Events.Event | Select-Object $select -Unique | Out-File -FilePath $rfile
notepad $rfileI think that you just need to enable this "Microsoft-Windows-DriverFrameworks-UserMode" event logging (eg. through gpo).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 06:56 AM
NG Query:
+ List AD Groups with prefix 'USB'
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged DescOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 07:25 AM
thank you for your support. Also tried this report but still it doesn't give me any results. Maybe I need to enable also something else in Scanned Item Interval or Registry Scanning?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 07:29 AM - edited ‎02-01-2024 07:30 AM
I see that you have setting one scan per 20 days I suggest you change to 1 or 0!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎02-01-2024 02:32 PM
hello,
Super, its working now. Many thanks @Mister_Nobody Great job!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-31-2024 11:27 AM - edited ‎01-31-2024 11:42 AM
I have tried to write SQL report but LS has no documentation about history tables:
Select Top 1000000 tblAssets.assetid,
tblAssets.AssetName,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged,
tblFloppyHist.Action As Action1
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID
Where tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged Desc
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-31-2024 11:04 AM - edited ‎01-31-2024 11:07 AM
No history for USB Devices.
For USB Storage you can see
https://LS_server/Report/report.aspx?det=changes&page=Floppy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎01-31-2024 11:12 AM
Hello,
I cant reach this page.
Reports & Analytics
Ask about reports you're interested in and share reports you've created. Subscribe to receive daily updates of reports shared in the Community.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Lansweeper Not Detecting All Network Devices in General Discussions
- SNMP MAC address table switch incomplete for silent (listening) devices in General Discussions
- Wifi Scanning in General Discussions
- Lansweeper performing Remote PS when scanning targets in General Discussions
- Leveraging Network Topology for hardware asset relationships in Product Discussions
