Automatically generated based on tag:

ETW - Devices and USB activity Page For devices and USB activity.

Various events are generated for devices and USB activity, split across a number of channels. More events and information are available on recent versions of the Windows operating system.

Using known variables about a given device, found for example in the Windows registry, events can be used to determine timestamps of activity for the device, such as when the device was first plugged, last plugged and unplugged.

Additionally, supplementary information about devices can be retrieved from events, such as device storage sizes and an extract of their partition table.

Events: 507, 500, 502, 503, 504, 505, 506, 510.

Microsoft-Windows-Kernel-PnP/Device Configuration.
Events: 400, 401, 410, 411, 420, 430.

Microsoft-Windows-Kernel-PnP/Device Management.
Event: 1010.

Event: 1006.

Events: 142, 4, 9, 10, 300, 303.

Jumplists Page Introduced in Windows 7, Jumplists are linked to a taskbar user experience-enhancing feature that allows users to "jump" to files, folders or others elements by right-clicking on open applications in the Windows taskbar.

Information of interest: target file absolute path, size, attributes, and Modified, Access, and Birth timestamps (updated whenever the file is "jumped" to).

Remote desktop connections made using the Windows built-in mstsc.exe client will generate an entry in the AutomaticDestinations JumpList that may reference the remote host.

Registry - Devices and USB activity Page The registry hold numerous information on currently and previously plugged devices, such as USB devices. The information is stored across a number of registry keys.

Given a known variable about a device as input (such as the device serial number for example), other identifiers can be retrieved from the registry: serial number, vendor ID, product ID, device id (vendor and product names), instance ID, device interface class, associated volume friendly name and volume letter, etc.

The first and last plugged-in timestamps, and last unplugged timestamp (for Windows 7 / 8 and later) of a device are also stored in the registry (Enum\USB and Enum\USBSTOR registry keys).



HKLM\SYSTEM - MountedDevices

HKLM\SYSTEM - DeviceClasses

HKLM\SOFTWARE - Windows Portable Devices

HKLM\SOFTWARE - VolumeInfoCache


HKCU\SOFTWARE - MountPoints2
Registry - MountPoints2 Page The MountPoints2 registry key references the currently or previously mapped drives (such as the system drive, USB devices, or network shares) mounted by the associated user.

Information of interest: each drive is represented by a subkey, which is named as either the volume GUID, a letter, or, for network shares "##<IP | HOSTNAME>#<SHARE_NAME>".

Registry key:
Setupapi logs Page The setupapi logs are plaintext log files that track installation of devices and drivers on the system.

The logs are rotated and preserved, so historical data dating back to the system install is usually available.

Information of interest: device serial number, device id (vendor and product names) or vendor ID (VID) + product ID (PID), and when a device was first plugged (in the local timezone of the system).
Windows XP:

Starting from Windows 7:
Windows devices terminology Page The Windows operating system uses a number of "device identification strings" and "device instance identification strings" to identify devices that are plugged / installed on a computer, and their instances.

The following identification strings are defined: vendor ID, product ID, device ID, hardware ID, instance ID, device instance ID, and container ID.

These various identifiers can be used to uniquely identify USB drives plugged into a computer, and are referenced in various registry keys, ETW events, and log files.

View on GitHub