May 22, 2018 Whenever we insert a USB drive into a computer, a registry key with the name 'USBSTOR' is created. This registry key stores information about that USB device, and whatever information the OS needs to know can be found in this registry key. Finding the USB Attachment History To find the USB history of your device, take the following steps. The drive serial can be found by going into the command line, navigating to the drive, and executing dir. The volume serial number is found in the top two lines - use it without the dash.
-->This topic describes the device-specific registry entries.
Find device information after it enumerates on Windows
View the device interface GUID, Hardware Id, and device class information about your device
Find this registry key and note the DeviceInstance value:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlDeviceClasses
Find the device instance registry key and get the device interface GUID:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSB<hardware id><instance id>Device Parameters
Under the device instance key, note the device class, subclass, and protocol codes:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetEnumUSB
Registry settings for configuring USB driver stack behavior
The registry entries described in this topic are found under this key:
In the vvvvpppprrrrr key,
Find Usb Device Serial Number In Registry
- vvvv is a 4-digit hexadecimal number that identifies the vendor
- pppp is a 4-digit hexadecimal number that identifies the product
- rrrr is a 4-digit hexadecimal number that contains the revision number of the device.
The vendor ID, product ID, and revision number values are obtained from the USB device descriptor.The following table describes the possible registry entries for the vvvvpppprrrrr key. The USB driver stack considers these entries as read-only values.
| Registry entry | Description | Possible values |
|---|---|---|
osvc REG_BINARY Supported on Windows XP and later versions. | Indicates whether the operating system queried the device for Microsoft-Defined USB Descriptors. If the previously-attempted OS descriptor query was successful, the value contains the vendor code from the OS string descriptor. |
|
IgnoreHWSerNum REG_BINARY Supported on Windows Vista and later versions. | Indicates whether the USB driver stack must ignore the serial number of the device. |
|
ResetOnResume REG_BINARY Supported on Windows Vista and later versions. | Indicates whether the USB driver stack must reset the device when the port resumes from a sleep cycle. |
|
Related topics
Forensicating USB devices can be a arduous task, as such I am going to break it down into byte (get it) size chunks.
In order to get the Serial number from a USB device we must start our investigation on the System Hive. Navigate to the following Key
SYSTEMCurrentControlSetEnumUSBSTOR
This key will display all of the USB devices plugged into the machine regardless of user. The serial number will be a sub-key of the Device Class ID
Here you can see two USB Devices have been installed on this machine, a Seagate FreeAgent device and a Generic device (Generic device is not that uncommon, the Serial number will help you to track the USB device through the artefacts).
Usb Serial Adapter
Both of these devices have a unique serial from their respective manufacturers. This can be seen by the &0 or &1 at the end of the serial number. If instead the second character is an & then the device does not have a unique serial number and Windows has issued one which is unique to the local system only.