Event Details
User Activity->System Events->Windows 2008->EventID 6416 - A new external device was recognized by the system.
EventID 6416 - A new external device was recognized by the system.
 Sample: 
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/1/2016 1:24:33 PM
Event ID:      6416
Task Category: Plug and Play Events
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      IIZHU2016.itss.wm.zhu.cn.qsft
Description:
A new external device was recognized by the system.

Subject:
	Security ID:		SYSTEM
	Account Name:		IIZHU2016$
	Account Domain:		ITSS
	Logon ID:		0x3E7

Device ID:	SWD\PRINTENUM\{60FA1C6A-1AB2-440A-AEE1-62ABFB9A4650}

Device Name:	Microsoft Print to PDF

Class ID:		{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}

Class Name:	PrintQueue

Vendor IDs:	
		PRINTENUM\{084f01fa-e634-4d77-83ee-074817c03581}
		PRINTENUM\LocalPrintQueue
		{084f01fa-e634-4d77-83ee-074817c03581}
		
		

Compatible IDs:	
		GenPrintQueue
		SWD\GenericRaw
		SWD\Generic
		
		

Location Information:	-
===========================
Description template stored in adtschema.dll:
===========================
A new external device was recognized by the system.

Subject:
	Security ID:		%1
	Account Name:		%2
	Account Domain:		%3
	Logon ID:		%4

Device ID:	%5

Device Name:	%6

Class ID:		%7

Class Name:	%8

Vendor IDs:	%9

Compatible IDs:	%10

Location Information:	%11
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Detailed Tracking
Source Microsoft-Windows-Security-Auditing
TaskCategory Plug and Play Events
EventId 6416
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. - 1/1/2000
Who Account or user name under which the activity occured. Account Name
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "New external device recognized" New external device recognized
Where The name of the workstation/server where the activity was logged. - 10.10.10.10
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. - High
WhoDomain Account Domain LOGISTICS
WhereDomain -
Comments
You must be logged in to comment