Where can I find logs on recent USB insertion in the Event Viewer?
Per scottschlaefli's answer, Windows does not log this event by default. However, you can do this with a third-party utility. One I've found useful to log USB activity: http://www.nirsoft.net/utils/usb_log_view.html
USBLogView is a small utility that runs in the background and records the details of any USB device that is plugged or unplugged into your system. For every log line created by USBLogView, the following information is displayed: Event Type (Plug/Unplug), Event Time, Device Name, Description, Device Type, Drive Letter (For storage devices), Serial Number (Only for some types of devices), Vendor ID, Product ID, Vendor Name, Product Name, and more.
Try logman.exe
trace.
USB insertion is not a logged event in windows event viewer by default. You can create event traces for USB devices using logman
by following these steps located in this Technet article:
In an administrative command prompt enter the following
logman create trace -n usbtrace -o %SystemRoot%\Tracing\usbtrace.etl -nb 128 640 -bs 128
logman update trace -n usbtrace -p Microsoft-Windows-USB-USBXHCI (Default,PartialDataBusTrace)
logman update trace -n usbtrace -p Microsoft-Windows-USB-UCX (Default,PartialDataBusTrace)
logman update trace -n usbtrace -p Microsoft-Windows-USB-USBHUB3 (Default,PartialDataBusTrace)
logman update trace -n usbtrace -p Microsoft-Windows-USB-USBPORT
logman update trace -n usbtrace -p Microsoft-Windows-USB-USBHUB
logman update trace -n usbtrace -p Microsoft-Windows-Kernel-IoTrace 0 2
logman start -n usbtrace
This will create a trace at %SystemRoot%\Tracing\usbtrace.etl
This log can become excessively large and logging all activity for the USB stacks is not going to be a good idea between multiple sessions, this is more for troubleshooting USB activity.
USB disks will cause event ID 4688
to be logged to Windows>Security
when inserted and mounted by the OS, maybe that's enough but there isn't a log entry anytime a USB device is connected. If the concern is removable storage devices you can enforce auditing through Group Policy as described here:
Enforce a GPO with the following:
Computer Configuration>Security Settings>Advanced Audit Policy Configuration>Object Access>Audit Removable Storage>Success
(and Failure
if desired) audit event boxes checked.
I'm not a aware of a full list, so run a tool called EventGhost. When a device is attached or removed you see an event on the left side.
It includes a string with the hardware id. Look for the ID of your mouse