USBSTOR Registry En...
 
Notifications
Clear all

USBSTOR Registry Entries Windows 7+

Banjax
(@banjax)
New Member

I'm trying to track down whether a specific USB hard drive was attached to any of 3 computers that I have EO1 evidence files of.

(Edit I no longer have access to the original USB device just the EO1 image of it)

I've identified the Volume Serial Number of the USB hard drive and checked the SYSTEM hive of each looking for the USBSTOR keys, while each lists several devices per computer they do not appear in the format that I was expecting (the 8 digit VSN followed by &0 or &1) but instead are considerably longer.

Some of the keys start 9& which as I understand means that they did not have a readable VSN so the computer generated an ID for them but the others look like hex strings and end in either $0 or $1 they're just too long.

The three computers are running Windows 7, Windows 8.1 and Windows 10 respectively.

Has windows changed the way it records the VSN in the USBSTOR key in these versions of Windows and if so can the USB device still be identified from these entries?

Cheers

Quote
Topic starter Posted : 25/04/2017 3:47 pm
Deltron
(@deltron)
Active Member

Have you check the log C\Windows\inf\setupapi.dev.log

ReplyQuote
Posted : 25/04/2017 9:43 pm
Banjax
(@banjax)
New Member

Have you check the log C\Windows\inf\setupapi.dev.log

I hadn't, I've subsequently checked the EMDMgmt key in the registry and run GREP searches for the VSN in hex, both of those came up blank.

I'm looking at the setupapi.dev.log file now but I'm not sure what I'm looking for in there, the manufacturer name (verbatim) doesn't appear in the log but looking at other USB devices installed if one of those entires is a serial number of any kind it's not one that I recognise as a serial number

ReplyQuote
Topic starter Posted : 27/04/2017 1:58 pm
ssstu
(@ssstu)
New Member

Hello,

Hope this info helps

To find out USB Serial Number

SYSTEM\CurrentControlSet\Enum\USBSTOR

&

SOFTWARE\Microsoft\WindowsNT\CurrentVersion\EMDMgmt

To find out Volume Name

SOFTWARE\Microsoft\Windows\ Portable Devices \Devices

To find out USB Vendor and Product ID

SYSTEM\CurrentControlSet\Enum\USB

Volume GUID and Assigned Volume Drive Letter

SYSTEM\MountedDevices

Time USB First Attached

SYSTEM\CurrentControlSet\Enum\USBSTOR

&

ROOT\Windows\inf\setupapi.dev.log

Time USB Last Attached after reboot

SYSTEM\CurrentControlSet\Enum\USB

User Account that mounted volume and Time USB Last Attached

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

ReplyQuote
Posted : 10/05/2017 2:30 pm
Share:
Share to...