diff --git a/Sources/EventViewerX/Enums/NamedEvents.cs b/Sources/EventViewerX/Enums/NamedEvents.cs
index a02ca1e..2dd1a8c 100644
--- a/Sources/EventViewerX/Enums/NamedEvents.cs
+++ b/Sources/EventViewerX/Enums/NamedEvents.cs
@@ -218,6 +218,11 @@ public enum NamedEvents {
///
DeviceRecognized,
+ ///
+ /// Device was disabled
+ ///
+ DeviceDisabled,
+
///
/// Object deleted
///
diff --git a/Sources/EventViewerX/Rules/Windows/DeviceDisabled.cs b/Sources/EventViewerX/Rules/Windows/DeviceDisabled.cs
new file mode 100644
index 0000000..2dae38f
--- /dev/null
+++ b/Sources/EventViewerX/Rules/Windows/DeviceDisabled.cs
@@ -0,0 +1,38 @@
+namespace EventViewerX.Rules.Windows;
+
+///
+/// Device was disabled
+/// 6420: A device was disabled.
+///
+public class DeviceDisabled : EventRuleBase {
+ public override List EventIds => new() { 6420 };
+ public override string LogName => "Security";
+ public override NamedEvents NamedEvent => NamedEvents.DeviceDisabled;
+
+ public override bool CanHandle(EventObject eventObject) {
+ // Simple rule - always handle if event ID and log name match
+ return true;
+ }
+
+ public string Computer;
+ public string DeviceId;
+ public string DeviceName;
+ public string ClassId;
+ public string ClassName;
+ public string Reason;
+ public string Who;
+ public DateTime When;
+
+ public DeviceDisabled(EventObject eventObject) : base(eventObject) {
+ _eventObject = eventObject;
+ Type = "DeviceDisabled";
+ Computer = _eventObject.ComputerName;
+ DeviceId = _eventObject.GetValueFromDataDictionary("DeviceId");
+ DeviceName = _eventObject.GetValueFromDataDictionary("DeviceDescription", "DeviceName");
+ ClassId = _eventObject.GetValueFromDataDictionary("ClassId");
+ ClassName = _eventObject.GetValueFromDataDictionary("ClassName");
+ Reason = _eventObject.GetValueFromDataDictionary("Reason");
+ Who = _eventObject.GetValueFromDataDictionary("SubjectUserName", "SubjectDomainName", "\\", reverseOrder: true);
+ When = _eventObject.TimeCreated;
+ }
+}