Are USB unplug events logged in Windows 7? (When was my mouse stolen?)
It might be too late now, but there ARE a couple pieces of software that will do exactly that. The easiest one to use being USBLogView
Other options, not so friendly, are the Windows USB Storage Parser or Microsoft's USBView (UVCView on Win7), that ships with the Windows Driver Kit (WDK).
If you really want to get your hands dirty, open RegEdit and look for the following entries:
Description: List of Installed USB devices, both connected and unconnected Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB Why you care: It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. Think how useful it can be to help tie something a user physical possesses to a box.
Description: List of installed USB storage devices Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR Why you care: Much like the installed USB devices entry, but just for USB storage. Think someone copied the data to a thumbdrive? This may help you trace down what thumbdrive. CleanAfterMe scrubs HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB but not USBSTOR when I tested last.
There isn't a log of them unfortunately - those events are lost forever. I've always wanted a dmesg
equivalent on Windows.
With Windows XP and earlier, you can use winmsd
to produce a system configuration output, but in later versions it's been replaced with msinfo32
(GUI application that I'm not so sure about parsing the output of).
Both of those only give you point-in-time information though, so for mouse-theft detective work you'd need to be regularly logging the output of winmsd
to a file. I must admit I'd personally go with the webcam suggestion in the future.