Specify Criteria Type

You can view the device access event types by specifying log entry Type criteria.

The Computer, Traced on, and Transferred on fields are shown in the logs for every event associated with input/output device access, as described in the following table.

Criteria by Type

Logged Event

Additional Information

MEDIUM-INSERTED

Occurs when a user inserts a CD/DVD in the computer drive or removable media reader.

Device type name of the device medium.

Volume label is the medium tag.

Medium hash is the hash number for the inserted medium.

Other is the inserted medium serial number.

DEVICE-ATTACHED

Occurs when a device is connected to a computer.

None.

DEVICE-DETACHED

Occurs when a device is disconnected from a computer.

None.

READ-DENIED

Occurs when a user attempts to access an unauthorized device.

Device type name of the device medium.

Volume label is the medium tag.

File Name is the name of the file the user attempted to read.

User Name is the name of the user who attempted to access the device.

Process Name is the application used to access the device.

Other is the exact access mask, in hexadecimal format, used to access the device.

WRITE-DENIED

Occurs when a user attempts to write a file to a read-only device.

Device type name of the device medium.

Volume label is the medium tag.

File Name is the name of the file the user attempted to write to removable media.

User Name is the name of the user who attempted to access the device.

Process Name is the application used to access the device.

Other is the exact access mask, in hexadecimal format, used to access the device.

READ-GRANTED

Occurs when a user accesses an authorized device.

None.

WRITE-GRANTED

Occurs when a user copies data to an authorized device.

None.

ERROR

Occurs for errors created when a user accesses or encrypts a device.

Error details specific to the user action are shown.

KEYBOARD-DISABLED

Occurs when the user keyboard is disabled because a keylogger may be present.

None.

KEYLOGGER-DETECTED

Occurs when a keylogger is detected.

None.

MEDIUM-ENCRYPTED

Occurs when removable storage medium is encrypted.

None.

ADMIN-AUDIT

Occurs when an administrator performs an action through the Management Console.

User Name is the name of the administrator.

Audit Event is the type of action performed by the administrator.

Target is the device that permissions were changed for.

Target Computer is the name of the computer that the administrator changed permissions for.

Target User is the user name that the administrator changed permissions.

Related Information

Related Tasks