Event Details
User Activity->System Events->Windows 2008->EventID 6422 - A device was enabled.
EventID 6422 - A device was enabled.
 Sample:
Log Name:      Security
Source:        Microsoft-Windows-Security-Auditing
Date:          11/1/2016 1:24:33 PM
Event ID:      6422
Task Category: Plug and Play Events
Level:         Information
Keywords:      Audit Success
User:          N/A
Computer:      IIZHU2016.itss.wm.zhu.cn.qsft
Description:
A device was enabled.

Subject:
	Security ID:		SYSTEM
	Account Name:		IIZHU2016$
	Account Domain:		ITSS
	Logon ID:		0x3E7

Device ID:	SWD\PRINTENUM\{60FA1C6A-1AB2-440A-AEE1-62ABFB9A4650}

Device Name:	Microsoft Print to PDF

Class ID:		{1ed2bbf9-11f0-4084-b21f-ad83a8e6dcdc}

Class Name:	PrintQueue

Hardware IDs:	
		PRINTENUM\{084f01fa-e634-4d77-83ee-074817c03581}
		PRINTENUM\LocalPrintQueue
		{084f01fa-e634-4d77-83ee-074817c03581}
		
		

Compatible IDs:	
		GenPrintQueue
		SWD\GenericRaw
		SWD\Generic
		
		

Location Information:	-
Log Type: Windows Event Log
 Uniquely Identified By:
Log Name: Security
Filtering Field Equals to Value
OSVersion Windows Vista (2008)
Windows 7 (2008 R2)
Windows 8 (2012)
Windows 8.1 (2012 R2)
Windows 10 (2016)
Category Detailed Tracking
Source Microsoft-Windows-Security-Auditing
TaskCategory Plug and Play Events
EventId 6422
Field Matching
FieldDescriptionStored inSample Value
When At what date and time a user activity originated in the system. - 1/1/2000
Who Account or user name under which the activity occured. Subject: Account Name
What The type of activity occurred (e.g. Logon, Password Changed, etc.) "Device enabled" Device enabled
Where The name of the workstation/server where the activity was logged. - 10.10.10.10
Where From The name of the workstation/server where the activity was initiated from. - 10.10.10.10
Severity Specify the seriousness of the event. - High
WhoDomain Subject: Account Domain LOGISTICS
WhereDomain -
Comments
You must be logged in to comment