Windows Security Log Event ID 6423
Operating Systems |
Windows 2016 and 10
Windows Server 2019 and 2022
|
Category • Subcategory | Process Tracking • Plug and Play |
Type
|
Failure
|
Corresponding events
in Windows
2003 and before |
|
6423: The installation of this device is forbidden by system policy
On this page
Logged as a result of \Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions. That category contains four device installation restriction settings that allow you to prevent devices from being installed that match certain specified criteria. You can prevent installation of devices that match device ID's, device class GUID's or are removable devices. You can also prevent devices from being installed that do not match any other policies.
These events are logged for all devices we tested – not just USB devices.
Free Security Log Resources by Randy
Subject:
Security ID: Domain\User performing the action.
Account Name: User performing the action.
Account Domain: Domain user belongs to.
Logon ID: Hexidecimal value of user
Device ID: ID of the device user attempted to disable. In Device Manager you can find this listed as the "Device instance path" on the Details tab of the device.
Device Name: Name of device as it appears in Windows. In Device Manager you can find this listed as the "Device description" on the Details tab of the device.
Class ID: GUID of the device as it appears in Windows. In Device Manager you can find this listed as the "Class GUID" on the Details tab of the device.
Class Name: Class of the device as it appears in Windows. In Device Manager you can find this listed as the "Class" on the Details tab of the device.
Hardware IDs: List of IDs of the device as they appear in Windows. In Device Manager you can find this listed as the "Hardware Ids" on the Details tab of the device.
Compatible IDs: List of Compatible IDs as they appear in Windows. In Device Manager you can find this listed as the "Compatible Ids" on the Details tab of the device.
Location Information: Not always available. This depends on the type of device.
Supercharger Enterprise
The installation of this device is forbidden by system policy.
Subject:
Security ID: SYSTEM
Account Name: DESKTOP-3PNSS2S$
Account Domain: WORKGROUP
Logon ID: 0x3E7
Device ID: PCISTOR\DISK&VEN_RSPER&PROD_RTS5208LUN0&REV_1.00\0000
Device Name: Disk drive
Class ID: {00000000-0000-0000-0000-000000000000}
Class Name:
Hardware IDs:
RSPCIESTOR\GenDisk
GenDisk
Compatible IDs:
SCSI\Disk
Location Information: -
Top 10 Windows Security Events to Monitor
Free Tool for Windows Event Collection