Build a great reporting interface using Splunk, one of the leaders in the Security Information and Event Management (SIEM) field, linking the collected Windows events to www.eventid.net. The EventId.Net for Splunk Add-on assumes that Splunk is collecting information from Windows servers and workstation via the Splunk Universal Forwarder.
|Source: Removable Storage Service|
Received a device interface REMOVAL notification for device: \\?\IDE#DiskWDC_AC38400L__..etc..
|English: Request a translation of the event description in plain English.|
|Concepts to understand:|
What is the Removable Storage?
This event is generated by the Windows 2000 Mount Manager (MM), which is part of the PnP service. It is the kernel service responsible to assign names to the volumes attached to the system. For each volume, it stores a name that is unique and is permanently identified with the volume, even after the volume has been removed from the system. You can find a list of the volumes that are or had been attached to the system at HKLM\SYSTEM\MountedDevices Registry key. The driver calls IoRegisterPlugPlayNotification which generates events 134 at an interface arrival and event 135 at a removal. See also Supporting Mount Manager Requests in a Storage Class Driver from MSDN."
This message can be recorded when a device like a digital camera is attached to the system (i.e via USB). These type of devices are typically considered just a removable storage device and data can be transferred between the compute and the attached media.
|Private comment: Subscribers only. See example of private comment|
|Links: ME159865, Supporting Mount Manager Requests in a Storage Class Driver|
|Search: Google - Bing - Microsoft - Yahoo - EventID.Net Queue (0) - More links...|
Send comments or solutions
- Notify me when updated