Mounteddevices order of entry

General (Technical, Procedural, Software, Hardware etc.)

Last Post by keydet89 17 years ago

2 Posts

2 Users

0 Reactions

386 Views

RSS

waterbottle

(@waterbottle)

New Member

Joined: 17 years ago

Posts: 1

Topic starter 04/09/2008 11:46 pm

Does anyone have a methodology for determining when entries were made in the Mounteddevices subkey?

Essentially, I would like to know which order the entries were made - but I would settle for knowing definitively the last entry made.

edit fixed thread title.

Quote

keydet89

(@keydet89)

Famed Member

Joined: 21 years ago

Posts: 3568

05/09/2008 11:34 pm

There may be a couple of ways of going about this…

If the system is XP, compare the current the System hive file to those located in Restore Points.

You might be able to find the MountedDevices key (no guarantee) in the unallocated space of the hive file itself…though that might be something of a stretch.

Another approach would be to correlate the entries with other artifacts, such as in the DeviceClasses subkey, or the MountPoints2 entries in the user's NTUSER.DAT file.

HTH,

ReplyQuote

8 Forums
15.7 K Topics
92.3 K Posts
285 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed