6419 A request was made to disable a device
Written when a request is made to disable a device. It captures the start of a device-disable operation.
Overview
The subcategory is Audit PNP Activity. It is generated when a request to disable a device is issued. The actual disabling is shown by 6420.
How it is triggered
- A device-disable request via Device Manager, an API, or policy.
Security review points
- A request to disable a security-relevant device (network adapter, TPM, monitoring device, etc.) can lead to weakening of defenses or evasion of isolation. Check the target device and requesting subject.
- Track what was disabled via the request 6419 to execution 6420 flow. Note unexpected device disabling.
Notes for log review
- It also occurs during legitimate operations and troubleshooting. Match the target device and subject against normal patterns.
- Confirm disabling of security-related devices at high priority.
Key fields
| Field | Meaning |
|---|---|
Device ID | The target device |
Subject\Account Name | The requesting subject |