Hi,
Is there other way to find the last drive mount point without knowing the ParentIDPrefix? currenly analyzing usb device and i found out there was no ParentIDPrefix from the system\CurrentControlSet\Enum\USBSTOR\**Serial**
I've also tried using "ForeniscsUSBDeviceInfo" tool (by Markwoan) and no luck so far =(
anyone can enlighten me on what happen here?
Best Regards,
Imammura
Hi,
Is there other way to find the last drive mount point without knowing the ParentIDPrefix? currenly analyzing usb device and i found out there was no ParentIDPrefix from the system\CurrentControlSet\Enum\USBSTOR\**Serial**
I've also tried using "ForeniscsUSBDeviceInfo" tool (by Markwoan) and no luck so far =(
anyone can enlighten me on what happen here?
Best Regards,
Imammura
Most likely, the device was an ext HDD, rather than a thumb drive.
Thanks Keydet89,
that helps alot, we also looked at the specification of the attached device and it is indeed and external hdd. but the question now, how can we find out the previous mount points of the ext HDD? is there any other ways?
thanking you in advance,
Imammura
but the question now, how can we find out the previous mount points of the ext HDD? is there any other ways?
There may be other keys available, depending upon the version of Windows you're working with…or you may have to resort to Restore Points or Volume Shadow Copies (again, depends on the version you're looking at…)
currently investigating an XP version of windows. any quick reference that you can share while I'm doing research on the restore point and volume shadow copies? apologies, I'm quite new to this. but thanks for the help =) Appreciate it
Best regards,
Zaki
You'll want to look at the MountedDevices key as well as the USBStor subkeys. In the user hive, the MountPoints2 keys.
Restore Points will have partial copies of the hive files. You're on XP, so you don't have to worry about VSCs.