Note:I translated Japanese into English using Google Translate.
Thank you, Google.
When audit setting "Audit PNP Activity" is enabled on Windows 10, event ID 6416 is recorded. Auditing is not enabled for this item by default.
Let's check the record when connecting the USB memory.
Connect the USB memory. This USB memory was connected to the system for the first time.
Three records were recorded in the security log.
ID 6416
The user name is the computer account. It seems that it is necessary to confirm the account connected the USB device to the system with another item.
Slightly later, another 6416 records are also recorded. Volume name is recorded in the item of DeviceDescription.
Event IDs 6419 and 6420 are recorded when device is disabled.
Interesting, ID 6419 has recorded the user who disabled the device.
When you enable the device, IDs 6421 and 6422 are recorded.
Event ID 6421 records the user who activated the device.
Perform removal of the device.
Unfortunately, no record was recorded on removal of the device.
While shutting down the system with the USB device connected, records were not recorded.
When rebooting the system with the USB device connected, ID 6416 is recorded after system startup. (There was only one record related to the USB device.)
Verification environment: Windows 10 1083
Reference URL:
6416(S) A new external device was recognized by the System. (Windows 10) | Microsoft Docs
