Delete USB Device History from the Windows Registry (USBSTOR key) and the setupapi.log

This article covers the USBSTOR registry key and the setupapi.log file and methods to delete them. These two artifacts can contain data regarding USB devices that have been plugged into a system.

There are other things you should be aware of as well which are covered in this article. Sometimes just deleting a registry key or file is not enough.

USBSTOR Registry Key

The USBSTOR registry key contains subkeys which are created when USB devices are plugged into the system. The location of this registry key on a Windows XP system is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

As an example, I’ve setup a fresh Windows XP virtual machine and popped in a single thumb drive. A subkey under USBSTOR was created based off of the USB thumb drive that I used. I used an OCZ Rally USB thumb drive, check the screenshot below.

USBSTOR Subkey

To delete this registry key and or subkeys you must first right-click the key and choose permissions. You can then set the “everyone” group with full permission to the key or subkeys so that they can then be deleted. I’m sure it isn’t too difficult to whip up a script or piece of software to automate this.

So, you’ve deleted the key and you’re good to go, right?

Well, maybe. If you’ve had system restore active then there are copies of this key in most likely every system restore point. Make sure you’re aware of what registry software you’ve run on your system as well. Even CCleaner (which I talk about below) has a registry cleaner which will by default prompt the user to backup the registry.

setupapi.log Plain-text Log File

The setupapi.log is located in the %windir% directory on Windows XP systems. The setupapi.log contains entries for driver installations of USB devices that have been plugged into the system and much more. It’s quite the little treasure chest of artifacts and should be dealt with. See the screenshot below of the setupapi.log on a virtual machine after I plugged in a USB OCZ Rally thumb drive.

Why would you want to get rid of the log?

Well, if an examiner needed to see what devices had been plugged into the system, this would be one of the spots they would look.

setupapi.log log file

What’s the best way to get rid of the log?

Just delete it. Preferably with a single pass wipe through wiping software such as CCleaner. If you’re not already using CCleaner, you should be. Be sure to go through all the settings in CCleaner and be sure to set it to do a one wipe pass over files like in the screenshot below. Otherwise it is possible to recover this log file with basic data recovery techniques.

One Pass Wipe - CCleaner

Also, setting CCleaner to do more than one pass is just wasting your time (previous article).

You can add custom files and directories to include in the wiping process. This is where you would add the setupapi.log file located in the C:\windows directory, just like in the screenshot below.

CCleaner Include Custom File

For more information on what is contained in the log take a peek at this article on microsoft.com.

If you’ve never used CCleaner I recommend it for taking care of the many temp files on your system. What’s even better is it has the ability to wipe the file and not just delete it.

If you have any tips or suggestions to add to the article then I encourage you to share them with a comment below.

Related posts:

1. Disable Thumbnail Caching and Wipe Thumbs.db files on a Windows XP System
2. How to Delete Google History – Google Chrome Artifacts and Google Chrome History
3. How to Delete Google History – The Google Toolbar