MountedDevices

SYSTEM\MountedDevices

MountedDevices maps each drive letter and volume mount point to the unique hardware signature of the physical device assigned to it. This allows Windows to consistently re-assign the same drive letter to the same device across connections. For investigators, it resolves the critical question of exactly which physical hardware was behind a given drive letter referenced in logs, shortcuts or malware paths.

Key Name \DosDevices\{DriveLetter}: — REG_BINARY value containing either a MBR disk signature + partition offset or a GPT GUID identifying the specific volume

Trace Type Connectivity

Hive SYSTEM

Last Write Time The key's Last Write Time reflects when the last drive letter assignment change occurred — useful for detecting when new external devices were last mounted on the system.

User Specific No Machine-wide. Drive letter assignments are a system-level operation independent of user sessions.

Forensic Value

Resolve drive letters to physical devices: When logs reference a path like G:\payload.exe, MountedDevices identifies the hardware. Cross-reference this with the USB Registry to get the serial number.
Confirm USB volume identity: The disk signature in the binary data uniquely identifies the volume, allowing correlation with forensic images of seized drives.
Map exfiltration paths: Proving that a specific drive letter was assigned to a unique device during the exfiltration window closes the chain of evidence between file access and the physical device.

For more Info check out these Articles: USB Registry