I am trying to make my device shutdown whenever i take out my Win 10 BitLocker USB Startup Key (TSK). I have enabled the DriverFrameworks-UserMode/Operational Logging to generate the appropriate logs in which I want to grab the InstanceID of the specific USB drive.
Its able to pull all the 2102 events, from all removed USBs if I do the following:
Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational -FilterXPath '*[System[(EventID=2102)]]'
However when I attempt to filter for the one specific drive, it just errors out:
Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Operational -FilterXPath '*[System[(EventID=2102)]] and *[UserData[UMDFHostDeviceRequest[@instanceID="SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}"]]]'
Whether I try changing all the & to & ,or the original posted above, it comes up with the error of:
Get-WinEvent : No events were found that match the specified selection criteria.
At line:1 char:1
+ Get-WinEvent -LogName Microsoft-Windows-DriverFrameworks-UserMode/Ope ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (:) [Get-WinEvent], Exception
+ FullyQualifiedErrorId : NoMatchingEventsFound,Microsoft.PowerShell.Commands.GetWinEventCommand
Any help would be greatly appreciated.
2102 Event Id 2102 General Tab (Event Viewer) - Message
Forwarded a finished Pnp or Power operation (27, 23) to the lower driver for device SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B} with status 0x0
Logname: Microsoft-Windows-DriverFrameworks-UserMode/Operational
Source: DriverFrameworks-UserMode Logged: [Date]
Event ID: 2102 Task Category: Pnp or Power Management to a particular device
Level: Information Keywords:
User : LOCAL SERVICE Computer: [Computername]
Op Code: (2)
2102 XML View Event Id 2102 Details Tab (Event Viewer) - XML View
- <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
- <System>
<Provider Name="Microsoft-Windows-DriverFrameworks-UserMode" Guid="{2e35aaeb-857f-4beb-a418-2e6c0e54d988}" />
<EventID>2102</EventID>
<Version>1</Version>
<Level>4</Level>
<Task>37</Task>
<Opcode>2</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2020-09-28T22:54:17.6538118Z" />
<EventRecordID>1883</EventRecordID>
<Correlation />
<Execution ProcessID="6580" ThreadID="22636" />
<Channel>Microsoft-Windows-DriverFrameworks-UserMode/Operational</Channel>
<Computer>Roswell</Computer>
<Security UserID="S-1-5-19" />
</System>
- <UserData>
- <UMDFHostDeviceRequest xmlns="http://www.microsoft.com/DriverFrameworks/UserMode/Event">
<LifetimeId>{c09c68ed-af3b-4e1a-b2dd-17e74f17dba3}</LifetimeId>
<InstanceId>SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN__USB&PROD__SANDISK_3.2GEN1&REV_1.00#0401FCC4C24B5204ED6A023E9446EBDE67DADF08C86BAB77DBE89C8C17C339C#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}</InstanceId>
<RequestMajorCode>27</RequestMajorCode>
<RequestMinorCode>23</RequestMinorCode>
<Argument1>0x0</Argument1>
<Argument2>0x0</Argument2>
<Argument3>0x0</Argument3>
<Argument4>0x0</Argument4>
<Status>0</Status>
</UMDFHostDeviceRequest>
</UserData>
</Event>
Try this