I know USB last write times have been covered before, I just want to make sure I have this.
Located in ControlSet001\Enum\USBStor I have the listing that was generated through RegRipper, the times associated with every one of the devices is exactly the same, is this because that is the last time the key was written to?
If I then navigate to the deviceclasses and correlate those devices with those found in USBStor the time associated with the device in the deviceclasses key is the last time the device was plugged into the computer.
If I did not explain this well please let me know, thank you.
Was my explanation correct? thank you.
The date/times displayed by RegRipper for an item reported correspond to the last written time for the registry key from where the information to report was extracted. I believe the help file goes into more detail on that.
To connect a registry key's last written time with the date and time that a device was plugged into the computer requires observation and testing. As you have reported from your observation, you have multiple registry keys relating to USB devices that were all last written at the same time. If each of these keys correspond to a different physical device it would be impossible or at the very least improbably that multiple devices were plugged into the computer at the same time.
This behavior has been seen before and discussed, but I don't think a conclusion was ever made. The best theory was that the application of a service pack caused the change. Has anyone done more research on this?