Windows USB Connections

 

USB connections are a commonly used method for transferring data between computers and other electronic devices. In Windows, the use of USB connections can affect the registry in several ways, including within the registry are the USB,  USBSTOR and MountPoints keys. In this post, we'll explore the connection between USB Mountpoints and the setupapi.dev.log, and provide examples of both normal and malicious use cases.

The USBSTOR key in the Windows registry is responsible for storing information about USB mass storage devices that are connected to the computer. This information includes the device name, vendor ID (VID), product ID (PID), and serial number. When a USB mass storage device is connected to the computer, Windows adds an entry to the USBSTOR key with the necessary information about the device. If the device is removed, the entry is deleted. However, the USB key will contain all USB devices and their last plugin time. 

The USBSTOR key can be found in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
									
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

The example I will be using here to show is a 64GB Generic USB. Here is the properties of the device for additional reference.

We can see the:

1. Name
2. Brand
3. Rev
4. Driver Version / Date / Provider
5. Serial Number*
1. If there is no SN, these are generated by the OS to avoid tracking issues.

Using USBDeview by Nirsoft

Inspection

In the image below, I have highlighted and cropped down some of the bulk keys to our current relevant ones. We can see that the USBSTOR ID showing "020320-1210000000194&0" contains the additional info of said device. Looking above in the USB key, we can find it under VID_090C&PID_1000 as well as  Vid_0E0F&Pid_0001.

Take note that Serial numbers are potentially

 prefixed a '6&' ( < number>&) ; and

suffixed by '&0'                              

eg.  6&1234A678 &0  

I will do a quick good search for VID AND PID vendors. 

An Option is:

1. https://devicehunt.com/all-usb-vendors
2. https://www.the-sz.com/products/usbid/
   
   

VID 090C // 0x1000 //  Flash Drive (This one will be the main focus)

VID 0E0F // 0x0001 // VMware, Inc.

The MountPoints key, on the other hand, is responsible for storing information about the drive letters assigned to USB mass storage devices. When a USB mass storage device is connected to the computer, Windows assigns a drive letter to the device and adds an entry to the MountPoints key with the drive letter and the device's volume name. 

The MountPoints2 key can be found in a live system via:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2	

The MountedDevices key can be found in:

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices	

Looking at H as a reference based on our example. We can see that there is similar Hex under two spots. This device does have two mounted volumes under F and H. Decrypting the Hex will provide us with similar string above which shows which device was last connected to this letter. This happens to be the device we are looking into. If you have a USB to compare, this will be very useful. Or you now have information to help you find the specific device.

"_??_USBSTOR#Disk&Ven_Generic&Prod_Mass_Storage&Rev_1100#020320-1210000000194&0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"

The setupapi.dev.log is a log file that contains information about the installation and configuration of hardware and software components in Windows. This log file can be useful for troubleshooting problems with USB mass storage devices, as it records information about the installation of the USBSTOR and MountPoints registry keys. The setupapi.dev.log can be found in the "  %windir%\inf " (aka C:\Windows\INF) folder.

Normal Behavior

In a normal use case scenario, a user connects a USB mass storage device to their computer and transfers data between the computer and the device. The USBSTOR key is updated with an entry for the device, and the MountPoints key is updated with an entry for the drive letter assigned to the device. The setupapi.dev.log records information about the installation of the USBSTOR and MountPoints registry keys, providing a record of the device and its usage.

Malicious Purposes

In a malicious use case scenario, an attacker could use a USB mass storage device to transfer malware to a computer. The USBSTOR and MountPoints keys would be updated with entries for the device, and the setupapi.dev.log would record information about the installation of the registry keys. The malware could then use the entries in the USBSTOR and MountPoints keys to execute malicious code on the computer, potentially compromising sensitive information or damaging the system.

https://www.sans.org/posters/windows-forensic-analysis/