Windows Security Log Event ID 6419

Operating Systems Windows 2016 and 10
Windows Server 2019 and 2022
Category
 • Subcategory
Process Tracking
 • Plug and Play
Type Success
Corresponding events
in Windows 2003
and before
 

6419: A request was made to disable a device

On this page

This event is generated if a user attempts to disable a device on the system.  This event does not mean that a device was successfully disabled.  Event ID 6420 will be generated if this attempt is successful.  

These events are logged for all devices we tested – not just USB devices.

Free Security Log Resources by Randy

Description Fields in 6419

Subject:
Security ID: Domain\User performing the action.
Account Name: User performing the action.
Account Domain: Domain user belongs to.
Logon ID: Hexidecimal value of user

Device ID: ID of the device user attempted to disable.  In Device Manager you can find this listed as the "Device instance path" on the Details tab of the device.

Device Name: Name of device as it appears in Windows.  In Device Manager you can find this listed as the "Device description" on the Details tab of the device.

Class ID: GUID of the device as it appears in Windows.  In Device Manager you can find this listed as the "Class GUID" on the Details tab of the device.

Class Name: Class of the device as it appears in Windows. In Device Manager you can find this listed as the "Class" on the Details tab of the device.

Hardware IDs: List of IDs of the device as they appear in Windows.  In Device Manager you can find this listed as the "Hardware Ids" on the Details tab of the device.

Compatible IDs: List of Compatible IDs as they appear in Windows.  In Device Manager you can find this listed as the "Compatible Ids" on the Details tab of the device.

Location Information: Not always available.  This depends on the type of device.

Supercharger Enterprise


Load Balancing for Windows Event Collection

 

Examples of 6419

A request was made to disable a device.

Subject:
     Security ID:     AzureAD\BarryVista
     Account Name:     BarryVista
     Account Domain:     AzureAD
     Logon ID:     0x833A8
Device ID: PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000
Device Name: SDXC Card
Class ID: {4d36e967-e325-11ce-bfc1-08002be10318}
Class Name: DiskDrive
Hardware IDs:
     RSPCIESTOR\GenDisk
     GenDisk
Compatible IDs:
     SCSI\Disk

Location Information: -

These events are logged for all devices we tested – not just USB devices.

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection

 

Upcoming Webinars
    Additional Resources

      Go To Event ID:

      Security Log
      Quick Reference
      Chart
      Download now!