USB Registry Tracks

A USB mass storage device touches more than a dozen distinct registry locations from the moment it is plugged in to the moment it is safely ejected. Each location captures a different phase of the connection lifecycle. No single key tells the full story — investigators who cross-reference all of them can reconstruct exact connection timestamps, the specific physical device, the drive letter it received and which user account was active at the time.

Hardware Enumeration

• SYSTEM\CurrentControlSet\Enum\USB\{VID_xxxx&PID_xxxx}\{SerialNumber}
Trace: VID_0951&PID_1666 → Vendor ID + Product ID + Serial Number
  Written by PnP the instant USB hardware is detected — before any driver loads. Present for ALL USB device classes, not just storage. The serial number subkey Last Write Time is the earliest timestamp of physical connection.
• SYSTEM\CurrentControlSet\Enum\USBSTOR\{Disk&Ven_X&Prod_X&Rev_X}\{SerialNumber}
Trace: FriendlyName, HardwareID, ContainerID
  Written when Windows confirms the device belongs to the USB Mass Storage class. The serial number subkey's Last Write Time is the primary forensic timestamp for "when was this drive last connected." Persists indefinitely after removal.
• SYSTEM\CurrentControlSet\Enum\USBSTOR\{...}\{SerialNumber}\Device Parameters\Partmgr
Trace: DiskId (GUID)
  Written when the partition manager processes the device. The DiskId GUID links this hardware instance directly to entries in MountedDevices.

Driver Loading

• SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#...
Trace: Key existence (Disk Device Interface GUID)
  Written when the disk device interface is registered. Confirms the device was presented to the OS as a functional disk accessible to the file system layer.
• SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#...
Trace: Key existence (Volume Device Interface GUID)
  Written when the volume is registered. This is the moment Windows begins treating the device as a mountable volume with its own file system.
• SYSTEM\CurrentControlSet\Services\USBSTOR
Trace: Start (DWORD) → 3 = demand start, 4 = disabled
  Controls whether the USB storage class driver loads. Attackers sometimes set this to 4 as a DLP bypass or to block forensic tools from accessing live USB devices. Tampering here is a red flag.

Volume Mounting and Drive Letter Assignment

• SYSTEM\MountedDevices
Trace: \DosDevices\E: (REG_BINARY → MBR signature + partition offset, or GPT GUID)
  Maps each drive letter (\DosDevices\E:) and volume mount point to the unique hardware signature of the physical device assigned to it. Ties a specific drive letter directly to specific physical hardware. Updated every time a drive letter is (re)assigned.
• SOFTWARE\Microsoft\Windows Search\VolumeInfoCache\E:
Trace: VolumeLabel, DriveType, FileSystemType
  Written by the Windows Search indexer on first encounter with a new volume. Persists after the drive is removed — preserves the user-assigned volume label (e.g., KINGSTON_64GB) long after the device is gone. Invaluable for corroborating physical evidence.
• SOFTWARE\Microsoft\Windows Portable Devices\Devices\{DeviceInstancePath}
Trace: FriendlyName (REG_SZ → user-assigned volume label)
  Written by the Windows Portable Devices layer. Stores the volume's display name independently of VolumeInfoCache — a second persistent source for the drive label. Survives device removal.

Device Tracking and Timestamps

• SYSTEM\CurrentControlSet\Enum\USBSTOR\{...}\{SerialNumber}\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0064
Trace: FILETIME (REG_BINARY) → First Install Date
  Written once on first connection to this machine. Does not update on subsequent connections. This is your definitive "device first seen" timestamp — critical for establishing initial access.
• SYSTEM\CurrentControlSet\Enum\USBSTOR\{...}\{SerialNumber}\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066
Trace: FILETIME (REG_BINARY) → Last Arrival Date
  Updated every time the device is connected. More precise than the subkey Last Write Time for "last connected" attribution — this is your primary last-connection timestamp.
• SYSTEM\CurrentControlSet\Enum\USBSTOR\{...}\{SerialNumber}\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0067
Trace: FILETIME (REG_BINARY) → Last Removal Date
  Recorded only on clean ejection. Absence of this value after a confirmed connection indicates an abrupt removal — e.g., pulled during live response or mid-exfiltration.

User-Level Interaction

• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{VolumeGUID}
Trace: Key existence + Last Write Time → user account ↔ USB volume link
  Written per-user the first time the logged-on user's Explorer session touches the mounted volume. This directly ties a specific user account to a specific USB device — the most important artifact for user-level USB attribution. Survives device removal.
• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Trace: Per-extension MRU entries → filename, extension of files opened from USB
  If the user opened any file from the USB volume, the filename and extension are recorded here. Links the user's interactive session to specific files on the device.
• NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths
Trace: url1 ... url25 (REG_SZ) → manually typed path, e.g. E:\
  If the user manually typed the drive path into the Explorer address bar it is logged here. High-confidence proof of deliberate navigation to the device.
• NTUSER.DAT\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Trace: {ExePath}.FriendlyAppName (REG_SZ) → internal display name of executed binary
  If any binary was executed from the USB drive, its internal PE display name is cached here. Survives both drive removal and file deletion.

AutoRun and Autoplay

• SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun
Trace: NoDriveTypeAutoRun (DWORD) → 0xFF = all AutoRun disabled
  Controls whether AutoRun fires for removable drives. A modified value re-enabling AutoRun on removable media is an indicator of staged malware delivery preparation.
• SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf
Trace: Default value → redirected to suppress Autorun.inf parsing
  A deliberate Microsoft hardening redirect that prevents Windows from reading Autorun.inf on USB drives. If this entry is missing or altered, the system may be vulnerable to AutoRun-based attacks.

Storage Policy and Restrictions

• SYSTEM\CurrentControlSet\Control\StorageDevicePolicies
Trace: WriteProtect (DWORD) → 1 = all USB storage write-protected system-wide
  Confirms or refutes whether registry-level write-blocking was in place during a collection window. Attackers may also clear this to enable writes to an otherwise protected device.
• SOFTWARE\Policies\Microsoft\Windows\RemovableStorageDevices\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Trace: Deny_Read / Deny_Write (DWORD) → GPO-enforced USB access control
  GPO-enforced USB class restrictions for Disk Drives. Finding these disabled or absent on a corporate endpoint is significant evidence in a DLP investigation.

Forensic Value

• Reconstruct the full connection lifecycle: Cross-referencing properties under USBSTOR gives a complete timeline. Correlate these with SetupAPI logs to verify driver installation timestamps.
• Attribute device use to a specific user: MountPoints2 in NTUSER.DAT directly ties a user to a volume. Cross-check this with MountedDevices to map the specific drive letter assigned during the session.
• Recover the volume label of a destroyed drive: VolumeInfoCache and Windows Portable Devices entries retain labels. Match these against USBSTOR hardware IDs to confirm the physical device identity.

For more Info check out these Articles: SetupAPI, USBSTOR, MountedDevices