How to retrieve USB history and delete them ?(Part-I)

Well!! nowadays we use our USB port to plugin many devices like mp3 players,ipods,pendrives etc,it is also very true that these devices are also vector of  many viruses,trojans and backdoors etc which can be lethal sometimes.Today  I am  going to discuss how we can keep a track of  all the USB devices that  were connected to our computer(WIN Xp / 7 / Vista).This trick can be very helpful in case you find that some data has been stolen  from your PC.

The USB history in a PC can be tracked by two methods:

a)By looking directly into the registry files.

b)Or by using Tool.
Note:Click on the images to zoom them.
Lets first start with Registry file method.

1.First open up  Run and  type "regedit"  and hit enter.

Note:USB history can be found at two places in registry
 --HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
 --HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

2.A registry editor  window open up,in that window follow the steps as shown in the image below.
(Here we will look into the second  registry path mentioned above but you can also try with the first one)
In the above image you can see that after I connected a pendrive and its information is present there in the registry.

So lets  see how we can do this with a tool.The tool that we will be using for this is Nirsofts's USBDVIEW. (Download)

1.Download the Tool  and just run , it will show all the devices that were connected to your PC.

Note:Serial numbers are  unique for external devices but internal devices as you can see have same serial number.

2.Now select anyone of the external device and right click on it and select Properties.It will show you all the details about the external device as shown in the image below.

Now we have retrieved the history of the USB  devices so,lets see how we can delete these history informations.

1.Open up the registry editor window as shown in the above steps then follow the on screen steps as shown in the image below.

2.After completing all the steps in the above image you will be able to delete the registry key or subkey.
By doing this the traces are removed....but still then  it can be detected so we will cover that in Part-II.

Note:For Linux  you can use USBVIEW(Download)

If you find this post  worthy enough to read do drop a comment  it will be appreciated. :)



IF YOU FIND THIS BLOG WORTH READING THEN DO "VOTE" FOR IT........Click here to Vote!
How to retrieve USB history and delete them ?(Part-I) How to  retrieve USB history  and delete them ?(Part-I) Reviewed by Satyajit (Admins,a.k.a Satosys) on Sunday, July 18, 2010 Rating: 5

12 comments:

Tech Maish said...

Very useful tutorial. I will follow the same steps. Thanks for sharing.

Satyajit (Admins,a.k.a Satosys) said...

@Maish welcome to Compufreaks.... :)

Zamibaru said...

I can`t delete de subkey. When i try to modify the permision i get "Acces denied". I use win 7 and i have administrator rights on the computer. What can i do?

Mike said...

I have the same issue as Zam, even though I am the administrator ?

Gautam said...

Thanks.... but we can trace out the entries yet by using the software. request mention the part-II.

Satyajit (Admins,a.k.a Satosys) said...

@Gautam surely soon I will come up with the part-II please wait.

Keep visting... :)

kirl said...

Hi, can you publish the second part? Very interesting !

Anonymous said...

Hi,

It looks like this post if more than 2.5 years old, is there a Part II or will it never be published.

Prithvi

Unknown said...

HI can you please explain also in Linux (RHEL6)environment

jayD said...

Very intersting...Please do publish the second part

hcom01 said...

is there a way to delete all usb history from registry at once?

Unknown said...

Thanks brother....

Powered by Blogger.