Sometimes we need to know what USB devices were connected to our computer in our absence. This information could be very useful for the forensic examiner or in the general case also where we just want to know what USB devices were used .
Windows registry is a database in Windows which stores settings of the operating system, hardware devices, software programs and user preferences settings.
Whenever we insert a USB drive in a computers a registry key with name “USBSTOR” is created this registry key store information about that USB device and whatever info the OS need to know can be found in this registry key.
In the registry go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR and there you will find a registry key with name “USBSTOR” .
Getting USB History With Single Powershell Command
You can get all this information by just using a single command PowerShell
To do this, open Powershell (the shortcut is Win+X I) and type:
Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Enum\USBSTOR\*\* | Select FriendlyName
Then press Enter, and you will get the history of all USB devices that have been used on your computer.
If you want to save all this information in a text file the PowerShell commands will be:
Get-ItemProperty -Path HKLM:SYSTEM\CurrentControlSet\Enum\USBSTOR\*\* | Select FriendlyName | out-file $file