Microsoft-Windows-TerminalServices-ServerUSBDevices
20 events across 4 channels
| Event | Title | Channel | Sample |
|---|---|---|---|
| 2 | message. | Debug | N |
| 3 | message. | Debug | N |
| 4 | message. | Analytic | N |
| 5 | message. | Analytic | N |
| 6 | message. | Debug | N |
| 7 | message. | Debug | N |
| 8 | message. | Analytic | N |
| 9 | message. | Analytic | N |
| 32 | Failed to create Physical Device Object for device objectPointer. | Analytic | N |
| 34 | Driver for device objectPointer failed to load. | Analytic | N |
| 35 | Device deviceName is not supported on this machine, a generic driver is loaded. | Admin | N |
| 36 | Redirection of additional supported devices is disabled by policy. | Admin | Y |
| 37 | Device deviceName is successfully installed. | Operational | N |
| 38 | Client requests to redirect device objectPointer. | Debug | N |
| 39 | Client requests to remove a redirected device objectPointer. | Debug | N |
| 40 | Dynamic virtual channel objectPointer is connected. | Debug | N |
| 41 | Dynamic virtual channel objectPointer is disconnected. | Debug | N |
| 42 | Redirected device objectPointer name is nameString. | Debug | N |
| 43 | Redirected device objectPointer is starting. | Debug | N |
| 44 | Redirected device objectPointer is stopping. | Debug | N |
Event ID 32: Failed to create Physical Device Object for device objectPointer.
#Event ID 34: Driver for device objectPointer failed to load.
#Event ID 35: Device deviceName is not supported on this machine, a generic driver is loaded.
#Event ID 36: Redirection of additional supported devices is disabled by policy.
#Description
Redirection of additional supported devices is disabled by policy.
Message #
Example Event #
{
"system": {
"provider": "Microsoft-Windows-TerminalServices-ServerUSBDevices",
"guid": "DCBE5AAA-16E2-457C-9337-366950045F0A",
"event_source_name": "",
"event_id": 36,
"version": 0,
"level": 3,
"task": 0,
"opcode": 0,
"keywords": 9223372036854775808,
"time_created": "2026-03-11T06:31:09.458920+00:00",
"event_record_id": 10,
"correlation": {},
"execution": {
"process_id": 2044,
"thread_id": 800
},
"channel": "Microsoft-Windows-TerminalServices-ServerUSBDevices/Admin",
"computer": "LAB-WIN11",
"security": {
"user_id": "S-1-5-18"
}
},
"event_data": {},
"message": ""
}
Event ID 37: Device deviceName is successfully installed.
#Event ID 38: Client requests to redirect device objectPointer.
#Event ID 39: Client requests to remove a redirected device objectPointer.
#Event ID 40: Dynamic virtual channel objectPointer is connected.
#Event ID 41: Dynamic virtual channel objectPointer is disconnected.
#Event ID 42: Redirected device objectPointer name is nameString.
#Event ID 43: Redirected device objectPointer is starting.
#Event ID 44: Redirected device objectPointer is stopping.
#Provenance
Where this provider's schema came from, and which Windows build it was observed on. Windows can change a provider's event schema between builds, so use this to judge whether it matches the build you collect from.
ETW provider GUID dcbe5aaa-16e2-457c-9337-366950045f0a
Defined in tsusbhub.sys, the binary that emits these events.
Observed on:
- WS2022-20348.4893, schema read from the registered manifest, binary version 10.0.20348.1, captured 2026-06-02
- Win11-26200.6584, schema read from the registered manifest, binary version 10.0.26100.1, captured 2026-06-02