Retrieving USB Devices Connection from Event Log .evtx file

This topic contains 1 reply, has 2 voices, and was last updated by  Don Jones 2 months, 4 weeks ago.

  • Author
    Posts
  • #75511

    David Mower
    Participant

    I'm to retrieve a list of all the usb devices connected or disconnected from a Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx file.

    This is my current script

    #clear the screen
    cls
    
    #ignore any errors
    #$ErrorActionPreference = "SilentlyContinue"
    
    #Variables start
    
    #empty if needed
    $USBevents = @()
    #result log
    $SavedName = "Devices Connected Disconnected Report $(get-date -f yy-MM-dd).htm"
    $USBresults = $PSScriptRoot + "\" + $SavedName
    #event log to load
    $LoadName = "Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx"
    $USBlog = $PSScriptRoot + "\" + $LoadName
    #xml paths
    $ns = @{'ns'='http://schemas.microsoft.com/win/2004/08/events/event'}
    $UMDF_xpath = "//ns:Data[@Name='UMDFHostDeviceRequest instance']"
    $ComputerID_xpath = "//ns:[@Name='Computer']"
    $usersid_xpath = "//ns:System[@Name='Security UserID']"
    #In the XPath statement, prefix each node name with the namespace name and a colon, such as //namespaceName:Node.
    
    #ensure results have suitable descriptions
        $type_lu = @{2003 = 'Query to load USB Drivers'
                     2004 = 'Loading Drivers for new Device'
                     2005 = 'Loading Drivers for new Device'
                     2100 = 'Power Operation for USB Device'
                     2101 = 'Power Operation for USB Device'
                     2102 = 'Power Operation for USB Device'
                     2105 = 'Power Operation for USB Device'
                     2106 = 'Power Operation for USB Device'
                     2103 = 'Error for Power Operation for USB Device'
                     2104 = 'USB Device Power Event'
                     2107 = 'USB Device Power Event'
                     2108 = 'USB Device Power Event'
                     2109 = 'USB Device Power Event'
                    }
    
    #variables end
    
    
    #set HTML style for results
    $HTMLstyle = ""
    $HTMLstyle = $HTMLstyle + "BODY{background-color:peachpuff;}"
    $HTMLstyle = $HTMLstyle + "TABLE{border-width: 1px;border-style: solid;border-color: black;border-collapse: collapse;}"
    $HTMLstyle = $HTMLstyle + "TH{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:thistle}"
    $HTMLstyle = $HTMLstyle + "TD{border-width: 1px;padding: 0px;border-style: solid;border-color: black;background-color:palegoldenrod}"
    $HTMLstyle = $HTMLstyle + ""
    $HTMLbodySYS = "USB Devices - Connected and Disconnected"
    $HTMLbodySEC = "USB Devices - Connected and Disconnected"
    $CSSStyle = @'
                
                ul {
                    padding-left: 5px;
                   }
                body { background-color:White;
                font-family:Tahoma;
                    font-size:12pt;
                     }
                td, th {border:1px solid black;} 
                th {
                    color: black;
                    background-color:peachpuff;
                   }
                td { border-width: 1px;padding: 1px;border-style: solid;border-color: black; }
                TR:Hover TD { Background-Color: #C1D5F8; }
                table, tr, td, th { align:left; padding: 10px; margin: 0px; }
                table { width:75% }
                table { margin-left:0px; }
                
    '@
    $Head = $HTMLstyle + $CSSStyle
    
    
    #write to host to user knows script is running
    Write-Host "Processing... Please wait ..."
    
    
    #filter the xml from operational log
    $FilterXML = @"
                  
                  
                  *[System[(Level=1  or Level=2 or Level=3 or Level=4 or Level=0 or Level=5) and (EventID=2003 or EventID=2004 or EventID=2005 or EventID=2100 or EventID=2101 or EventID=2102 or EventID=2105 or EventID=2106 or EventID=2103 or EventID=2104 or EventID=2107 or EventID=2108 or EventID=2109)]]
                  
                  
    "@
    #file://C:\Users\David\OneDrive\Powershell Scripts\Events Log - System - Devices Connected\Microsoft-Windows-DriverFrameworks-UserMode%4Operational.evtx
    
    
    $USBevents = Get-WinEvent -Filterxml $FilterXML
    
    
    #pull filtered data from xml
    If($USBevents) {
                   $XMLUSBresults = ForEach($USBevent in $USBevents) {
                                                                     $xmlUSB = $USBevent.ToXml()
                                                                     $USBUMDF = (Select-Xml -Content $xmlUSB -Namespace $ns -XPath $UMDF_xpath).Node.'#text'
                                                                     Break            
                                                                     $USBsid = (Select-Xml -Content $xmlUSB -Namespace $ns -XPath $usersid_xpath).Node.'#text'
                                                                     Break
                                                                     $USBComp = (Select-Xml -Content $xmlUSB -Namespace $ns -XPath $ComputerID_xpath).Node.'#text'
                                                                     #Translates needed to make usernames readablefrom SID to USER
                                                                     $USBuser = (New-Object -TypeName System.Security.Principal.SecurityIdentifier -ArgumentList $USBsid).Translate([System.Security.Principal.NTAccount]).Value
                                                                     Break
                                                                     }
                   New-Object -TypeName PSObject -Property @{
                                                            Time = $USBevent.TimeCreated
                                                            Computer = $USBComp
                                                            User = $USBsid
                                                            Id   = $USBevent.Id
                                                            Message = $type_lu[$USBevent.Id]
                                                            }
                  #convert results to a html file
                  If($XMLUSBresults) {
                       $XMLUSBresults | Sort Time -Descending | ConvertTo-Html -head $Head -body $HTMLbodySEC | Set-Content $USBresults
                       }
                  }
    
    
    #show success for user
    Write-Host "USB devices logfile Success."
    #open the created html file
    Invoke-Item $USBresults
    

    I've tried pasting a copy of an event's xml here but it won't format correctly. If you log this log on your system and click an event, you can seethe format of the xml view.

    Currently I'm failing to retrieve the 'Computer' and 'User' which are returning only as all blank.

    I suspect I've got the following lines incorrect, but cant find the right solution. I've been trying to add system or without it but with no joy

    $ComputerID_xpath = "//ns:[@Name='Computer']"
    $usersid_xpath = "//ns:System[@Name='Security UserID']"
    

    Ideas anyone?

  • #75725

    Don Jones
    Keymaster

    You can't paste XML; it's your web browser refusing to render it. As indicated in the instructions above the posting textbook, use a Gist, which we can pull in if you paste the Gist URL into your message.

    I'll say this, though – for XQuery/XPath advice, which is basically what you're doing, nothing beats StackOverflow.com.

You must be logged in to reply to this topic.