If you’ve ever used a USB storage device and wondered how stealthy you can be with them, you’re in for a scare. Windows XP logs pretty much everything you’d want to know about that USB key in the registry each time it’s plugged in and written to.

When you plug in your USB drive, the Plug and Play manager gets notified and queries the device descriptor in the firmware for information about the device. This helps it locate a driver, which is referenced in the %SystemRoot%/inf folder by various .inf files. Once the device is identified and a driver selected, the information is dropped into HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR with a format similar to Disk&Ven_###&Prod_###&Rev_### which will identify the device ID, manufacturer and more. An important number you will find here is the ParentID prefix, which I did not actually say during the segment but this is something that will appear in virtually every registry entry regarding the device.

Microsoft uses serial numbers on the devices to distinguish between devices with the same manufacturer or model. In the case that the serial number is not unique (or even not present), the PnP manager will create a unique instance ID for the device.

All of the numbers you find related to each device should be logged if you’re doing any sort of investigation or trying to track a device across computers.

If you’re trying to determine whether data was perhaps pilfered from your machine/network, you will want to look at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\DeviceClasses, where you will find the ParentID prefix and will be able to correlate to the device. You should also see the manufacturer name here. We are looking for the Last Write time which will help in determining whether data was pilfered by giving you a timeframe as to when someone last copied data to the device. In order to do this, you’re going to right click on the entry that has the ParentID prefix and manufacturer name for the device you want, and then click Export. Change the file extension to .txt and name it anything you want, remembering where you save the file. Upon opening this file up, you will find the last write time.

There are many applications for this data, and you’ll probably never be in the registry doing it quite this way, as there are many tools, both commercial and free that will simplify all of this. This data is also used in tools/services which help track your devices, such as iHound (ihoundsoftware.com), which helps you track devices if they’re stolen.

If you have any questions feel free to contact me here and visit my website. Many thanks to Harlan Carvey, author of the 2007 book Windows Forensic Analysis (I think I might’ve errantly said 2005, sorry) for without this book I wouldn’t have known as much as I do about the windows registry.

–Chris Gerling Jr.

USB Device Tracking


  • rami_info

    Hi hak5 team

    Could you please tell me the code of the last hak5 episode because I’m really jumbled, I downloaded all of them but I’ve forgotten the last episode number.

    Waiting for reply

    Thnx a lot for everything

  • yashu maheshwari

    can you tell me how can i stole the material present in usb driver without asking anyone after removing pen drive plzzzzzzzzzzzzzzz??????????????????

  • sam

    My computer is connected to a large LAN network.I am student and has done a project in a companys PC. I want to copy the pro file but they have port security.so a computer does not detect any device on all external ports.i thought of unplugging the lan cable but still it is not working.
    Please can you suggest a way to made usb readable on those protected ports.Also if somehow i copy files will it show what i have copied and how much .my file size is 1.2 GB

  • smartphone vendor

    H? I am so thrilled I found your blog page, I reall? fo?nd you by error, while I was looking on Digg for something else, Anyways I am here now
    and woul? j?st like t? say kudos for a
    marvelous post and a all round thrilling blog (I also lov? the th?me/de?ign), I don’t have time to
    browse it all at the minute but I have ?ook-marked it and also added in ?our RS? feeds, so w?en I have time I ?ill be back to read more, Please do ?eep up the awesome


    Many thanks for several other outstanding article LIETZ. The location in addition may everyone obtain that style of info in their normal fantastic types of publishing? I have a powerpoint presentation a few weeks, exactly what about the try to find this sort of information.

  • link web page

    Anyone effectively help make seriously reports We would condition. That is the new I actually used internet site and also to now? I surprised while using homework you’ve made to generate this actual post incredible. Wonderful procedure!

  • xem ngay

    Another person actually lend a hand to make substantially articles or blog posts I will express xem ngay. Here is the brand new I personally visited your blog site and here? My spouse and i pleasantly surprised using the investigation you’ve made to make this particular send outstanding. Fantastic task!

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>