While looking for other USB related things, I came across these
http//
Devices that support Microsoft OS Descriptors must store a special USB string descriptor in firmware at the fixed string index of 0xEE. This string descriptor is called a Microsoft OS String Descriptor.
When a new device is attached to a computer for the first time, an operating system that supports Microsoft OS Descriptors will request the string descriptor that is at index 0xEE. The Microsoft OS String Descriptor contains an embedded signature field that the operating system uses to differentiate it from other strings that might be at index 0xEE. The presence of a string descriptor that contains the proper signature field at index 0xEE indicates to the operating system that the device supports Microsoft OS Descriptors. The Microsoft OS String Descriptor also provides the operating system with version information.
After the operating system requests a Microsoft OS String Descriptor from a device, it creates the following registry key
HLKM\SYSTEM\CurrentControlSet\Control\UsbFlags\vvvvpppprrrrr
The operating system creates a registry entry, named osvc, under this registry key that indicates whether the device supports Microsoft OS Descriptors. If the device does not provide a valid response the first time that the operating system queries it for a Microsoft OS String Descriptor, the operating system will make no further requests for that descriptor.
http//
In the vvvvpppprrrrr key,
vvvv is a 4-digit hexadecimal number that identifies the vendor
pppp is a 4-digit hexadecimal number that identifies the product
rrrr is a 4-digit hexadecimal number that contains the revision number of the device.
Which it seems to me like not having been mentioned on the Forum.
It seemingly can provide - from a forensic standpoint - some info that can be useful to cross-check the contents of more common "USB device connection history" related keys, such as
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\*
jaclaz
We also found this key interesting, but haven't incorporated it into our reporting yet. You may want to check out our list of all the keys we believe are related to USB storage devices, at the bottom of this page
http//
If you find any more please give me a heads-up and I'll update the spreadsheet. On a somewhat related note, I haven't found any Microsoft documentation regarding the keys unique to Windows 8 in our list… and suspect we (computer forensics practitioners) may be on our own there!
Mark
We also found this key interesting, but haven't incorporated it into our reporting yet. You may want to check out our list of all the keys we believe are related to USB storage devices, at the bottom of this page
http//
ArsenalRecon.com/apps/
To be picky (as I am) the MODS start from XP SP1.
Cannot say if it is due to the fact that I don't use "newish" versions of office and their .xslx format, but as seen in an earlier office verrsion (through the MS converter) the spreadsheet lists in the "upper" part MS urls OK, while in the second open and closing brackets become %28 and %29.
If you find any more please give me a heads-up and I'll update the spreadsheet.
Will do.
At first glance you are missing a few related to MPT (also the protocol and the WPD class of device is/was there in XP as well), see
http//www.forensicfocus.com/Forums/viewtopic/t=9881
http//www.forensicfocus.com/Forums/viewtopic/p=6563145/#6563145
OT 😯 can you believe, see
http//
that someone has "shortened" Bluetooth to "BLUTUTH"?
jaclaz
Picky is good! We'll start getting more granular and include service pack levels when we know them.
Thanks for the heads-up on the other keys. Lots of downloads of the spreadsheet, but you are the first person to give us feedback. Much appreciated and we'll have a new version up soon.
Thanks for the heads-up on the other keys.
No prob. )
We are trying to learn/expand knowledge.
I haven't double/triple checked the spreadsheet, but there is a list a I made some time ago (for another scope)
http//
http//
and in your spreadsheet the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}
is missing.
Idea (quickly tested) but of course only a "starting point".
Run USBDEVIEW on a system
http//
Run Regmon on it (hitting refresh).
The Regmon log contains all keys accessed by the nice Nirsoft tool (that should be a superset of the ones involved, i.e. some keys in the log mught be not strictly connected to USB)
This is the list of the "strange" keys (I mean the ones with ID's within curly brackets) I get running the above on my system (XP SP2)HKLM\SYSTEM\(Control Sets)\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0003
HKLM\SYSTEM\(Control Sets)\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{00873fdf-cafe-80ee-aa5e-00c04fb1720b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{1186654d-47b8-48b9-beb9-7df113ae3c67}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{215d3559-e677-4e8e-aa38-0e1fc3a92e9d}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{2accfe60-c130-11d2-b082-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{2eb07ea0-7e70-11d0-a5d6-28db04c10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{378de44c-56ef-11d1-bc8c-00a0c91405dd}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
HKLM\System\(Control Sets)\Control\DeviceClasses\{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{3c0d501a-140b-11d1-b40f-00a0c9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{3e227e76-690d-11d2-8161-0000f8775bf1}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{456f868b-66cf-4bdf-bfb7-84de59cc2778}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{473db41c-cc0e-4ce7-89fe-1e980922806c}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{4747b320-62ce-11cf-a5d6-28db04c10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{4afa3d53-74a7-11d0-be5e-00a0c9062857}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{4d1e55b2-f16f-11cf-88cb-001111000030}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{4d36e978-e325-11ce-bfc1-08002be10318}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53172480-4791-11d0-a5d6-28db04c10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f56311-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{62152103-2103-11d8-a524-000c76121847}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{65E8773D-8F56-11D0-A3B9-00A0C9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{6bdd1fc6-810f-11d0-bec7-08002be2092f}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{7162a293-9840-4107-8e3e-118f3cb0e922}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{811fc6a5-f728-11d0-a537-0000f8753ed1}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{86841137-ed8e-4d97-9975-f2ed56b4430e}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{86e0d1e0-8089-11d0-9ce4-08003e301f73}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{884b96c3-56ef-11d1-bc8c-00a0c91405dd}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{97b2cac0-9e83-45ac-9c87-fbb27e75b7e1}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{97ebaacb-95bd-11d0-a3ea-00a0c9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{97f76ef0-f883-11d0-af1f-0000f800845c}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{97fadb10-4e33-40ae-359c-8bef029dbdd0}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{9ea331fa-b91b-45f8-9285-bd2bc77afcde}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{ad809c00-7b88-11d0-a5d6-28db04c10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{bf963d80-c559-11d0-8a2b-00a0c9255ac1}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{d322f7c6-584c-4816-bc8a-23c87c1e61ef}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{d6c5066e-72c1-11d2-9755-0000f8004788}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{DDA54A40-1E4C-11D1-A050-405705C10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{dff220f3-f70f-11d0-b917-00a0c9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{f18a0e88-c30c-11d0-8815-00a0c906bed8}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{fbf6f530-07b9-11d2-a71e-0000f8004788}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}
jaclaz