Virtual Event: Threat Detection and Incident Response Summit - Watch Sessions
Connect with us

Hi, what are you looking for?


Security Infrastructure

Use Microsoft Error Reporting to Improve Network Visibility: Websense

Websense is providing free source code, queries and lookups designed to help organizations use Microsoft Error Reporting to identify USB devices connecting to their networks.

Websense is providing free source code, queries and lookups designed to help organizations use Microsoft Error Reporting to identify USB devices connecting to their networks.

Also known as Dr. Watson reports, the Microsoft Error Reporting feature was indirectly the source of controversy a few weeks ago when it was made public that the NSA had intercepted these reports and use them to gather information about its targets. With this data in hand, the spy agency could get a better read on the hardware on software on a given network and use that information to tailor its cyber-operations.

According to Websense, enterprises can use Dr. Watson reports for their own use as well – in this case, to identify when a storage device such as a USB drive or mobile phone is plugged into their network.  

“We were surprised to learn that a USB drive insertion considered a hardware change, and that detailed information about the USB device and computer that it was plugged into being sent to Microsoft,” blogged Websense Director of Threat Research Alex Watson. “These logs are sent to Microsoft via HTTP URL-encoded messages. Organizations can use knowledge about their content and how to decode these messages to detect USB drives and devices that could be a risk to the organization. This knowledge can help organizations detect USB drives and devices such as those used in the KCB and [Edward] Snowdn leaks, and automatically generate reports when they are plugged into a secure system.”

Dr. Watson Reports for Security

The error report is sent to Microsoft every time an application crashes, fails to update, or a hardware change happens to a PC running Windows. In Windows Vista and later, these reports are automated and part of an opt-out program Microsoft estimates nearly 80 percent of the PCs in the world participate in, Watson explained.

“These reports can be gathered in a variety of ways, either by examining outbound web proxy logs… creating an IPS rule in an open source intrusion prevention system such as Snort or Suricata, or by simply monitoring a SPAN port using a sniffer such as Wireshark,” Watson blogged. “In our last blog entry, we discussed an information leakage that can arise with these reports and suggested that organizations set up a group policy that sends reports to an on-premise server which then forces encryption before forwarding to Microsoft. In this case, the reports can be processed at the organization’s WER (Windows Error Reporting) collection server.”

The Dr. Watson reports have a specific report type for USB inserted devices. Organizations can start by filtering down to messages containing ‘PnPGenericDriverFound’. Using some lookup tables, the information that follows can be broken up into several fields, including date, USB device manufacturer and host computer BIOS version and UMI [unique machine identifier].

Advertisement. Scroll to continue reading.

“It turns out the Vendor and Device ID lookups can be a little tricky – but map exactly to Windows and Linux driver databases,” Watson blogged. “To see an example for yourself, try typing “lsusb” from a Linux machine. After scraping some online driver databases, we put together a lookup script that you can use for vendors and device codes that you can download on GitHub. These will obviously need to be updated periodically to remain up to date. Feel free to add new device codes yourself, or check back to our site for updates.”

“Using Splunk or a similar SIEM tool, create lookups to map the vendor and product IDs that you see in the Watson logs above to the manuf_ids.csv and product_ids.csv files that have been attached,” he added. “Please note that our Product ID lookup contains the VID+PID (Vendor ID and Product ID) together – this is the one you’ll most likely want to use in your lookups.”

The next step is decoding the WER report structure. Websense has included some Splunk queries that can be used to detect USB device insertions and create reports. It is also possible to configure the SIEM tool to trigger a report every time a certain device is added to the network.

In an interview with SecurityWeek, Watson added that the crash reports can be fed into any SIEM tool or custom framework. Leveraging this information can allow business to better understand what devices, applications and applications versions are deployed on their network without needing a dedicated endpoint.

Organizations can also use this to help prevent data leaks by filtering the reports based on computer names or IP addresses from computers with sensitive data.  However, this is not meant to replace data loss prevention (DLP) products.

“DLP is an incredible technology that is really starting to gain traction in the security marketplace to enable businesses to protect their data,” Watson told SecurityWeek. “I view the example we provided as a way for businesses that have not deployed DLP to start to see the value that it can provide.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Security Infrastructure

Comcast jumps into the enterprise cybersecurity business, betting that its internal security tools and inventions can find traction in an expanding marketplace.

Management & Strategy

Hundreds of companies are showcasing their products and services this week at the 2023 edition of the RSA Conference in San Francisco.

Security Infrastructure

XDR's fully loaded value to threat detection, investigation and response will only be realized when it is viewed as an architecture


Identity and access governance vendor Saviynt has closed a $205 million financing round.

Cloud Security

The term ‘zero trust’ is now used so much and so widely that it has almost lost its meaning.


Security orchestration, automation and response (SOAR) provider Swimlane on Monday announced the launch of a security automation solution ecosystem for operational technology (OT) environments.

Identity & Access

The National Security Agency (NSA) has published a series of recommendations on how to properly configure IP Security (IPsec) Virtual Private Networks (VPNs).