Event ID: 6416

A new external device was recognized by the system. 

A new external device was recognized by the system.

Subject:
    Security ID:            %1
    Account Name:           %2
    Account Domain:         %3
    Logon ID:               %4

Class ID: %5

Vendor IDs: %6

Compatible IDs: %7

Location Information: %8


This event generates every time a new external device is recognized by a system.

This event generates, for example, when a new external device is connected or enabled.

Recommended Auditing
Always enable auditing of this sub category.

Volume
Low


Microsoft Documentation

Event ID - 6416



Name Field Insertion String OS Example
Security ID SubjectUserSid %1 Any SYSTEM
Account Name SubjectUserName %2 Any WORKSTATION14
Account Domain SubjectDomainName %3 Any THEDOMAIN
Logon ID SubjectLogonId %4 Any 0x3e7
Device ID DeviceId %5 Windows 10 [Version 1511+] SCSI\\Disk&Ven\_Seagate&Prod\_Expansion\\000000
Device Name DeviceDescription %6 Windows 10 [Version 1511+] Seagate Expansion SCSI Disk Device
Class ID ClassId %7 Any {4D36E967-E325-11CE-BFC1-08002BE10318}
Class Name ClassName %8 Windows 10 [Version 1511+] DiskDrive
Vendor IDs VendorIds %9 Any
Compatible IDs CompatibleIds %10 Any SCSI\Disk
Location Information LocationInformation %11 Any Bus Number 0, Target Id 0, LUN 0

Lookup Audit Policy Configuration Settings

C:\> AuditPol.exe /get /category:"Detailed Tracking"
How to enable Windows Auditing
Recommended Audit Policy

Operating Systems:
Windows 10 Windows 2016 Windows 2019 Windows 11 Windows 2022

Tags:
Audit Success
Audit Category:
Detailed Tracking

Audit Subcategory:
Plug and Play Events PnP Activity

LEFT/RIGHT arrow keys for navigation

Back to List