Need more info in the USB event description
When a USB device is disabled, the event description looks like this:
|
Device Manager Message The device was disabled successfully. [name]:Generic volume [class]:Storage volumes [guid]:71a27cdd-812a-11d0-bec7-08002be2092f [deviceID]:STORAGE\REMOVABLEMEDIA\7&28C17C0F&0&RM |
which tells me precisely nothing about what was plugged in. The needed information is present in the registry for most devices, though. It's available under HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR
Under that key you'll find the USB devices and they have a key called "FriendlyName", which in this case says "Apple iPod". In our experience about 90% of the USB devices we encountered have a FriendlyName that tells what was plugged in. A few do say "generic device".
If the value of FriendlyName could be put in the Event Description, it would make it much more valuable.
That being said, if the email itself had pertinent information so I don't have to open an attachment, that would be nice as well. That way I could automatically file the emails based on what happened.
Thanks for listening,
Ray
Comments
More information is always better.
Especially when it is as easily available as a registry read.
And especially when...
The security people do not have access to the registry on protected computers and servers because of separation of duties. I have to request one of the infrastructure people do the registry lookup each time an alert occurs before we can figure out how to handle the alert. That can cost a lot of time.
Ray
Would you like to reply?
Login or Register to post your comment.