This article covers the USBSTOR registry key and the setupapi.log file and methods to delete them. These two artifacts can contain data regarding USB devices that have been plugged into a system.
There are other things you should be aware of as well which are covered in this article. Sometimes just deleting a registry key or file is not enough.
USBSTOR Registry Key
The USBSTOR registry key contains subkeys which are created when USB devices are plugged into the system. The location of this registry key on a Windows XP system is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR
As an example, I’ve setup a fresh Windows XP virtual machine and popped in a single thumb drive. A subkey under USBSTOR was created based off of the USB thumb drive that I used. I used an OCZ Rally USB thumb drive, check the screenshot below.
USBSTOR Subkey
To delete this registry key and or subkeys you must first right-click the key and choose permissions. You can then set the “everyone” group with full permission to the key or subkeys so that they can then be deleted. I’m sure it isn’t too difficult to whip up a script or piece of software to automate this.
So, you’ve deleted the key and you’re good to go, right?
Well, maybe. If you’ve had system restore active then there are copies of this key in most likely every system restore point. Make sure you’re aware of what registry software you’ve run on your system as well. Even CCleaner (which I talk about below) has a registry cleaner which will by default prompt the user to backup the registry.
setupapi.log Plain-text Log File
The setupapi.log is located in the %windir% directory on Windows XP systems. The setupapi.log contains entries for driver installations of USB devices that have been plugged into the system and much more. It’s quite the little treasure chest of artifacts and should be dealt with. See the screenshot below of the setupapi.log on a virtual machine after I plugged in a USB OCZ Rally thumb drive.
Why would you want to get rid of the log?
Well, if an examiner needed to see what devices had been plugged into the system, this would be one of the spots they would look.
setupapi.log log file
What’s the best way to get rid of the log?
Just delete it. Preferably with a single pass wipe through wiping software such as CCleaner. If you’re not already using CCleaner, you should be. Be sure to go through all the settings in CCleaner and be sure to set it to do a one wipe pass over files like in the screenshot below. Otherwise it is possible to recover this log file with basic data recovery techniques.
One Pass Wipe - CCleaner
Also, setting CCleaner to do more than one pass is just wasting your time (previous article).
You can add custom files and directories to include in the wiping process. This is where you would add the setupapi.log file located in the C:\windows directory, just like in the screenshot below.
CCleaner Include Custom File
For more information on what is contained in the log take a peek at this article on microsoft.com.
If you’ve never used CCleaner I recommend it for taking care of the many temp files on your system. What’s even better is it has the ability to wipe the file and not just delete it.
If you have any tips or suggestions to add to the article then I encourage you to share them with a comment below.
Another tip I’d like to mention which many of you already probably know/do is to use software such as filemon and regmon or Process Monitor which contains both of the previouis apps I believe to test this stuff yourself. You can start up the application(s) and then plug in a USB device to see which logs and keys are updating.
This is one of the best ways to find artifacts.
Thanks for the post!
once the registry keys are deleted will it be possible to recover again?
Just use a live linux CD or DVD like puppy or slax.
If your using windows you are leaving tracks no matter what you do to the drive to cover up reg keys or wiping sectors on a drive.l
No drive—no evidence.
Thanks or the nice tips.
thanks for the nice tips
Look for something in the registry is not really easy via Regedit. It is long and you need to press “F3″ to continue the whenever you search registry entry. Read more from the guide for “Monitor, clean and optimize the Windows registry” at: http://forums.techarena.in/guides-tutorials/1298086.htm
I wonder why there is no setupapi.log in my %windir% …
Can someone help me ?
OddAnt: Windows root directory.
C:\windows\setupapi.log
@Soni : %windir% = C:\windows
Still not having the setupapi.log file
same for me… no file at C:\windows\setupapi.log
ssame for me… no file at C:\windows\setupapi.log
try search for setupapi.log in the from run
Use a live LINUX CD/DVD Slax,puppy,Knoppix, ETC and you will not have to worry about an OS that records every little thing you do.
What will happen if i delete the setupapi.log from my system and copy the setupapi.log from another system in the network ?