Setup API Log

The Setup API log is a persistent plain-text record of every device driver installation event on a Windows system. Each time a USB device, peripheral or hardware component is connected for the first time, the Plug and Play (PnP) subsystem writes detailed entries into this log. For investigators, it creates an accurate and often overlooked historical record of every external device that was ever plugged into a machine, complete with timestamps.

General

The Setup API log is stored in two log files located at C:\Windows\INF\setupapi.dev.log and C:\Windows\INF\setupapi.setup.log. The device installation log (setupapi.dev.log) is the primary forensic target. It is a structured plain-text file where each device connection event creates a block containing the device's hardware ID, the driver installed, the timestamp and the connection status. Critically, this file is not easily overwritten by typical anti-forensics tools since it is managed by the Windows kernel and not exposed through standard UI controls. The timestamps recorded are in the local system time at the moment of installation.

Traces

When we parse the Setup API log, we look for device installation blocks with these key data points:

• Hardware ID: The unique device identifier string such as VID_XXXX&PID_XXXX identifying the USB device's manufacturer and product.
• First Connection Timestamp: The local system time of the device's first-ever connection to the host.
• Driver INF File: The name of the driver package that Windows installed for the device.
• Device Description: The human-readable label for the connected hardware.
• Installation Result: Success or failure code from the driver installation process.
• and more.

Forensic Value

We use the Setup API log to build device connection histories and track external media:

• USB Device History: Identifying every flash drive connected to a system even when registry artifacts have been cleared. Correlate these with USB Registry tracks for a dual-source connection record.
• First-Connection Proof: Establishing the exact date and time a specific external device was introduced to a machine.
• Rogue Hardware Detection: Identifying unauthorized hardware devices installed on a system.
• Suspect Device Correlation: Matching the hardware ID logged in setupapi to physical devices found during a search.

For more Info check out these Articles: USB Registry