USBStor
SYSTEM\CurrentControlSet\Enum\USBSTORUSBStor is populated by the Windows Plug and Play manager the moment a USB mass storage device is connected. It records the device class, vendor ID, product ID and — critically — the device serial number in the key hierarchy. Every USB drive that has ever touched this machine has a permanent entry here, even if it was only connected once.
Key Name
USBSTOR\Disk&Ven_{Vendor}&Prod_{Product}&Rev_{Rev}\{SerialNumber} — the serial number subkey is uniquely tied to the physical device
Trace Type
Connectivity
Hive
SYSTEM
Last Write Time
The serial number subkey's Last Write Time reflects the most recent connection event for that specific device — enables precise connection timestamps for exfiltration timeline analysis.
User Specific
No System-wide. Device enumeration happens at the machine level before user authentication.
Forensic Value
- Identify the specific physical device: The Vendor ID, Product ID and serial number uniquely identify the drive. Cross-reference with the suspect's known devices or seized hardware to confirm physical possession.
- Timestamp USB connection events: Last Write Time on the serial number subkey places the specific drive on this machine at a specific moment — essential for exfiltration timelines.
- Prove device connection despite removal: USBStor entries survive drive removal and system reboots indefinitely. A device connected once years ago is still recorded here, and more.