Device PnP (Interface & PowerShell)

The Device PnP interface is the administrative gateway to the machine's hardware history. While the Registry stores the raw data, the PnP interface (queried via PowerShell or Device Manager) provides a processed, human-readable view of every peripheral that has ever interacted with the system kernel.

General

Technically, when you query PnP devices, you are interacting with the Configuration Manager APIs and the Win32_PnPEntity WMI class. This system was designed to allow the OS to maintain "Device Persistence." Microsoft implemented this so that hardware configurations (like COM port assignments or specialized USB settings) remain static even if the device is unplugged and moved to a different physical port. This persistence is what creates the "historical" trail that forensics can exploit long after the physical evidence has been removed.

Traces

In PowerShell, these historical traces are accessed using Get-PnpDevice. Unlike the standard GUI, PowerShell allows you to filter specifically for disconnected devices that are still registered in the system state.

• Status 'Unknown': In the PnP database, a device that is historically recorded but not currently plugged in will often return a status of "Unknown" or "CM_PROB_DEVICE_NOT_HERE."
• The Registry Source: All data viewed here is pulled from HKLM\SYSTEM\CurrentControlSet\Enum\USB. PowerShell simply parses the Device Instance Path, which contains the critical Serial Number or Unique Identifier.
• ClassGuids: Every historical trace is categorized by a ClassGuid (e.g., {36fc9e60-c465-11cf-8056-444553540000} for USB hubs). This allows investigators to filter specifically for storage devices while ignoring system-level components like virtual bus drivers.

Forensic Use Cases

Using the PnP interface via PowerShell allows for rapid, automated forensic auditing of "ghost" hardware:

• Automated Mass-Storage Audits: By running Get-PnpDevice -Class 'USBDevice', an investigator can instantly export a CSV of every USB device ever connected, including its Friendly Name and Serial Number, without manually clicking through hundreds of Registry keys.
• Identifying "Non-Present" Hardware: If a device appears in the PnP list but is not "Present," it confirms the device was used in the past. This is vital in data exfiltration cases to prove that an external "Western Digital" drive was once connected to a machine, even if the drive is no longer at the scene.
• Driver Association: The PnP traces link a specific hardware ID to a specific .inf file. If an investigator finds a PnP trace for a "Rubber Ducky" or a "Wifi Pineapple" driver, it serves as high-fidelity evidence that specialized hacking hardware was once initialized on that specific OS installation.