Peter Jason wrote:
> On Thu, 19 Apr 2012 21:17:42 -0500, VanguardLH <V@nguard.LH> wrote:
>
>>Peter Jason wrote:
>>
>>> I need to scramble the date data in USBSTOR that indicates the date a
>>> USB device was plugged into the computer.
>>>
>>> Ideally I want CCleaner to do this.
>>>
>>> Has anyone had any experience in doing this?
>>>
>>> Help, Peter
>>
>>Why not just delete the enumeration data for the USB device from the
>>registry?
>
> Thanks, I used to do this but when re-attaching the device later I
> have to go thru all the "found new hardware" dialogues. Though I may
> have to settle on this later.
>>
>>I don't see anywhere in CCleaner where you can configure it to delete
>>registry keys or data values under them. You can include folders/files
>>to clean or exclude them but you can't specify your own registry items
>>to clean.
>>
>>You could use Nirsoft's USBdeview to uninstall USB devices. I haven't
>>tested this but I suspect that will delete the enumeration data in the
>>registry for the uninstalled USB device. USBdeview has command-line
>>switches you can use to run it in a script. You would use one of the
>>remove parameters to remove the device(s).
>
> I Have the Nirsoft "USB Deview" and this does a good job of listing
> the devices connected and those previously so. Curiously though is
> only gives the last unplug/plugin time for those devices still
> connected, and a N/A indication for those that are not. This USB
> Deview" lists many properties such as: "instanceID" and numerous
> others.
For me, whether the Connected status is No or Yes, the Last Plug/Unplug
datestamp is non-blank. This is for my printer (connected), headset
(not connected), USB flash drive (not connected), Magicjack USB dongle
(connected), and USB mouse (connected). So maybe that date data isn't
available in your registry for your unconnected-but-still-enumerated USB
devices.
I did not see any entries in the USB enumeration data for datestampes.
From
http://www.forensicswiki.org/wiki/USB_History_Viewing, that info is
stored elsewhere. Since this relies on the PnP Manager, maybe that info
won't be there is you disabled that NT service. Some folks and tweakers
recommended disabling PnP due to [old] security vulnerabilities (e.g.,
http://technet.microsoft.com/en-us/s...letin/ms05-039). While I
have the PnP service enabled (PlugPlay), I do have the UPnP service
(upnphost) disabled that's used for discovery across the network.
From that forensics article and another describing the command-line USP
utility (
http://www.tzworks.net/prototype_page.php?proto_id=13),
setupapi.log is used for the Create date yet I don't have any setupapi*
logfiles on my computer although USBdeview still shows a Create date.
From that 2nd article, however, it notes the Last Plug/Unplug time is
take from the HKU hive but I haven't the registry entries for those
datestamps. So I used Zsoft Uninstaller to take a snapshot before and
after plugging in a USB flash drive to see what changed. The following
registry key got changed in the user hive:
HKU\<myaccountSID>\Software\Microsoft\Windows\Curr entVersion\Explorer\MountPoints2\CPC\Volume\{1128c d39-4cbb-11e1-8183-00508df5de0f}
(the "Data" labelled data item is binary but looks to be text)
{1128cd39-4cbb-11e1-8183-00508df5de0f} is what Windows happened to pick
for the ID in my particular setup. It's also listed (without the
datestamp for plug/unplug) under:
HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices
I don't how the linkage works between all these registry entries, there
are so many interdependent entries, and wasn't really that interested to
do further research that you'll have to figure out where they keep the
datestamp info. I've got some other stuff to do.
> I can get to the USB device in the regedit: EG:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\U SBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_8.02
>
> When I expand this there is a "Properties" that denies me access and I
> can't override this, even under "permissions". How does one turn on
> these "Permissions" for the whole registry?
Typically I right-click on the registry key (not a data item), select
Permissions, select the Everyone or Creator Owner account and give it
full permissions. Then I can delete the key.
I just did this for a USB flash drive. I removed it (unplugged),
right-clicked on its registry key under USBSTOR and selected the
Everyone account, enabled full control, and deleted the key. It
disappeared from the registry (the delete worked). When I plug the
device back in, I get the "found new hardware" popup because, well, the
device wasn't enumerated anymore. The info previously recorded for it
was gone so it had to recreate the enumerated registry key for it.
> This may be why the
> Nirsoft Deview can't give the last access time.
As I said, I gave up trying to figure out where the datestamp info is
held in the registry. It isn't part of the enumeration data used to
define the device. It's somewhere on how and when the device got used.
>
> I have a book called: "Computer Forensics Hacking Exposed" isbn
> 978-0-07-162677-8 that implies the data I want is in the
> "RegistryKey.txt" Here is this book's relevant example entry....
>
> ***
> RegistryKey.txt
> Key Name:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\U SBSTOR\Disk&Ven_Kingston&Prod_DataTraveller_2.0&Re v_1.00e\00100000000000000000297&0\Device
> Parameters\MediaChangeNotification
> Class Name: <NO CLASS>
> Last Write Time: 12/15/2008 - 7:33 AM
> ****
Yet if you look in the key under USBSTOR for that USB flash drive then
you find no data item whose name indicates it holds a datestamp. So
where does the "Last write time" info come from?
http://eptuners.com/forensics/conten...nation.htm#The Registry as a Log:
Mentions a LastWrite value associated with registry keys that show when
they were last updated. I don't think you're going to see that using
regedit.exe which is a basic tool to show you in text the binary
contents of the database for the registry. There are lots of things
about the registry that regedit.exe won't show you. There are, for
example, keys that aren't for you to modify even as an admin.
That article mentions a utility to see the write (modified) datestamp of
a registry key. On a whim, I used Nirsoft's Registry Scanner. After it
shows some matching results in a search, you can right-click on one of
them to see its properties - of which one property is the Key Modified
Time. Well, if this datestamp is a normal invisible property (unless
you use the registry API to get record info) then deleting the registry
key should eliminate finding any datestamp for it.
You are using viewers to look into the binary database call the
registry. So what you get to see is what the viewer chooses to show
you. Some show more than others. There still is info in the registry
that requires using the registry API in Windows to see all information
within the database, like record age, record length, and so on. I don't
think you want to learn the Windows registry API to write up your own
program to find out everything about the registry and each record within
it, but if you do you can start here:
http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx http://msdn.microsoft.com/en-us/libr...(v=vs.85).aspx
Instead you, I, and other users wanting to dig further into the registry
beyond what regedit.exe provides have to look at forensic tools that did
all that work for us.
So it looks like you're stuck with deleting the USB or USBSTOR registry
keys for a device to eliminate the last write or last plug time. That
means when you plug the device in next time that there is no enumeration
data for it and you'll have to go through the "found new hardware"
wizard again.
I want to automatically alter dates in part of the registry. 
Linear Mode
