This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Lansweeper Community
- Forums
- Reports & Analytics
- Track USB Storage Devices connected to assets via ...
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Register to ask a question, start a topic or share an idea
Join the Community
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2024
10:56 AM
- last edited on
04-01-2024
12:23 PM
by
Mercedes_O
Hello team,
Is there any report available to track USB Storage disks activities? I mean when were being connected on assets, as well when they are disconnected?
We need a historical report, not only when the USB Storage disks were detected during the last scan.
Solved! Go to Solution.
Labels:
- Labels:
-
Finished Reports
2 ACCEPTED SOLUTIONS
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2024 06:56 AM
NG Query:
+ List AD Groups with prefix 'USB'
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged DescOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2024 07:29 AM - edited 02-01-2024 07:30 AM
I see that you have setting one scan per 20 days I suggest you change to 1 or 0!
14 REPLIES 14
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-02-2024 06:23 AM
I have tried to add link with USB Devices to show current inserted USB but it's time approximity:
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged,
tblUSBDevices.DeviceID
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
tblFloppyHist.InterfaceType = 'USB'
Left Join tblUSBDevices On tblAssets.AssetID = tblUSBDevices.AssetID
And tblFloppyHist.Model = tblUSBDevices.name And
DateDiff(s, tblFloppyHist.Lastchanged, tblUSBDevices.lastchanged) Between
-15 And 15
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged Desc
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2024 02:33 PM
It's been a while, and I don't have time to check it out again, but we've been looking into this for some forensics, and came up with this PowerShell script (which you could use as a starting point to deploy and send the output to eg. an event instead of a txt file):
$logname = 'Microsoft-Windows-DriverFrameworks-UserMode/Operational'
$log = New-Object System.Diagnostics.Eventing.Reader.EventLogConfiguration $logName
$log.IsEnabled = $true
$log.SaveChanges()
$rfile = "$env:temp\usbdevices.log"
if (Test-Path -Path $rfile) {Remove-Item $rfile}
else {New-Item -Path $rfile -ItemType File}
$events = Get-WinEvent -FilterHashtable @{LogName='Microsoft-Windows-DriverFrameworks-UserMode/Operational';id=2003,2102} | ForEach-Object {$_.toxml()}
[xml]$xmlleke = '<Events>' + $events + '</Events>'
$select = @(
@{ n = 'Time Created'; e = { get-date $_.System.TimeCreated.SystemTime -format g } },
@{ n = 'EventID'; e = { $_.System.EventID } },
@{ n = 'Event'; e = {
switch ($_.System.EventID) {
2003 { 'USB Device connected' }
2102 { 'USB Device disconnected' }
default { 'Unknown' }
}
}
},
@{ n = 'Computer'; e = { $_.System.Computer } },
@{ n = 'FriendlyName'; e = { $devUSB = ((($_.InnerText.Substring($_.InnerText.IndexOf('#') +1,($_.InnerText.LastIndexOf('#') - ($_.InnerText.IndexOf('#')) -1))).Replace('&','_')).Replace('#','\'));`
$rkey = "HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR\$devUSB";(Get-ItemProperty -Path $rkey | Select FriendlyName).FriendlyName.ToString()}}
)
$xmlleke.Events.Event | Select-Object $select -Unique | Out-File -FilePath $rfile
notepad $rfileI think that you just need to enable this "Microsoft-Windows-DriverFrameworks-UserMode" event logging (eg. through gpo).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2024 06:56 AM
NG Query:
+ List AD Groups with prefix 'USB'
Select Top 1000000 tblAssets.assetid,
tblAssets.domain,
tblAssets.AssetName,
tblAssets.Userdomain,
tblAssets.Username,
Stuff((Select ', ' + tblADGroups.Name As [text()]
From tblADMembership Inner Join tblADGroups On
tblADMembership.ParentAdObjectID = tblADGroups.ADObjectID Inner Join
tblADusers On tblADMembership.ChildAdObjectID = tblADusers.ADObjectID
Where tblADusers.Username = tblAssets.Username And tblADusers.Userdomain =
tblAssets.Userdomain And tblADGroups.Name Like 'USB%' For Xml Path('')),
1, 2, '') groups,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID And
tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged DescOptions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2024 07:25 AM
thank you for your support. Also tried this report but still it doesn't give me any results. Maybe I need to enable also something else in Scanned Item Interval or Registry Scanning?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2024 07:29 AM - edited 02-01-2024 07:30 AM
I see that you have setting one scan per 20 days I suggest you change to 1 or 0!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-01-2024 02:32 PM
hello,
Super, its working now. Many thanks @Mister_Nobody Great job!
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2024 11:27 AM - edited 01-31-2024 11:42 AM
I have tried to write SQL report but LS has no documentation about history tables:
Select Top 1000000 tblAssets.assetid,
tblAssets.AssetName,
tblFloppyHist.Model,
tblFloppyHist.Size,
tblFloppyHist.FirmwareRevision,
tblFloppyHist.SerialNumber,
Case tblFloppyHist.Action
When 1 Then 'Added'
When 2 Then 'Removed'
When 3 Then 'Updated'
End As Action,
tblFloppyHist.InterfaceType,
tblFloppyHist.Lastchanged,
tblFloppyHist.Action As Action1
From tblFloppyHist
Inner Join tblAssets On tblAssets.AssetID = tblFloppyHist.AssetID
Where tblFloppyHist.InterfaceType = 'USB'
Order By tblAssets.AssetName,
tblFloppyHist.Lastchanged Desc
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2024 11:04 AM - edited 01-31-2024 11:07 AM
No history for USB Devices.
For USB Storage you can see
https://LS_server/Report/report.aspx?det=changes&page=Floppy
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
01-31-2024 11:12 AM
Hello,
I cant reach this page.
New to Lansweeper?
Try Lansweeper For Free
Experience Lansweeper with your own data. Sign up now for a 14-day free trial.
Try Now
Related Content
- Lansweeper performing Remote PS when scanning targets in General Discussions
- Leveraging Network Topology for hardware asset relationships in Product Discussions
- Announcing Lansweeper’s Integration with Setyl in Product Discussions
- 🎁 Free IP Scanner for IT Pros: Fast, Accurate, and Packed with Features! in Product Announcements
- New Integration Alert: DeepSurface Security Comes to Lansweeper! in General Discussions
