Pages

Wednesday, November 20, 2013

Windows 8 New Registry Artifacts Part 1 - New Device Timestamps

Tracking USB device insertion times has never been an easy task given that there is no direct timestamp saved by windows for this activity, ie, until Windows 8 arrived! This was a real pain in Windows Vista and 7 as dates and times were obtained from many different Registry keys’ Last Modified timestamps. And while this was reasonably reliable, timestamps thus retrieved always had to be taken with a pinch of salt!

All that changes with Windows 8. After a bit of experimentation, I have found that Windows 8 has added 3 new timestamps to the registry for Device Last Insertion Date, Device Last Removal Date and Firmware Date. This is located alongside other device properties in the SYSTEM hive under CurrentControlSet\Enum\DeviceType\DeviceID\InstanceID\{GUID}\Properties\xxxx 

Example: \CurrentControlSet\Enum\USBSTOR\Disk&Ven_Kingston&Prod_DataTraveler_G3&Rev_PMAP\000FEAFB9197BC7067D500C8&0\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0066\(Default)

The picture below will make things clear.



All timestamps are in the standard windows 64 bit (FILETIME) format.

Windows 7 already had these three timestamps:

Name Property Path
Driver Assembly Date {a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0002
Install Date {83da6326-97a6-4088-9453-a1923f573b29}\0064
First Install Date {83da6326-97a6-4088-9453-a1923f573b29}\0065

Edit for clarification: The property paths shown above are for Windows 8. In Windows 7, this would be under
"{GUID}\00xx\00000000\Data" instead of "{GUID}\00xx"

Comment- I have always seen Install Date and First Install Date to contain the same exact timestamp. My guess would be that it would only differ when a driver is re-installed or updated. Update- Harlan Carvey has discussed this issue and the above timestamps here.

Windows 8 adds 3 new timestamps:

Name Property Path
Last Arrival Date {83da6326-97a6-4088-9453-a1923f573b29}\0066
Last Removal Date {83da6326-97a6-4088-9453-a1923f573b29}\0067
Firmware Date {540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0011

After some research, I was able to verify these details by looking into the Windows SDK.  These properties have been defined in the include file ‘devpkey.h’. The last timestamp 'Firmware Date' has only been introduced in Windows 8.1 and I have not yet seen it in the registry. The term 'Last Arrival' is the one used by Microsoft, I will prefer calling it 'Last Insertion'.

With this new information, we will have accurate timestamps and not need to jump through hoops for determining Last Insertion (arrival) and Last Removal times. There are a few other changes in the windows 8 registry which will be in subsequent parts of this series of posts on Win 8 Registry.

That’s not all that changes when devices are inserted into a windows 8 machine. In the next article I will walk through all the windows event log changes. In case you are wondering, yes, there are plenty of events in the event logs for device setups/insertions/removals.

14 comments:

  1. These aren't new to Windows 8; these exist in Windows 7, as well.

    ReplyDelete
    Replies
    1. Harlan, Properties 66 & 67 regarding last insertion and last removal have only been introduced in Windows 8, and that is what this post is about. They are not present on a windows 7 system.

      I believe I have clearly indicated which ones appear in win7 and which ones in win8, what other way would you want me to explain it?

      Delete
  2. More specifically, the first two times, from the 0x0064 and 0x0065 subkeys, were discussed here:

    http://windowsir.blogspot.com/2013/01/there-are-four-lights-usb-accessible.html

    ReplyDelete
    Replies
    1. Good to know someone's written about it. I had pointed out those keys (64, 65) to Mark Woan about a year back and he had acknowledged and subsequently added to his USBDeviceForensics tool which I think is the best tool hands-down for USB forensics.

      Delete
    2. I have updated the post to include a reference to this URL now.

      Delete
  3. hi yogest,
    i am krishna from cfsl,hyd. i hope u remembered me. i have a case of wherein the OSs are windows 2000 professional and windows xp. i could able to located the usb insertions in registry. but i want to know the timings of insertions. is it any way in thsese OSs. pl.advice.
    krishna m

    ReplyDelete
    Replies
    1. Good to hear from you, Krishna ji.
      These keys do not exist on xp or win2k. Sans has a good step by step procedure to get this information. Just google for 'sans usb forensics pdf' and the first few links will be helpful to you. Also I would suggest Nirsoft's USBDeview tool and Mark Woan's USBDeviceForensics.

      Delete
  4. Jimmy
    Please take a look at this post.

    http://www.swiftforensics.com/2013/12/device-lastremovaldate-lastarrivaldate.html

    ReplyDelete
    Replies
    1. Hi ... can u help me ... i have to create a usb forensics challenge

      Delete
  5. Any idea why the "Properties" key is not accessible for me? I tried on two different systems, both running Windows 8.1 and I don't have permissions to open that key although I am running as administrator. The exact error is:

    [Window Title]
    Error Opening Key
    [Content]
    Properties cannot be opened.
    An error is preventing this key from being opened.
    Details: Access is denied.

    ReplyDelete
  6. Yogesh,

    This page is still one of my favorite places to quickly reference the USB timestamp property keys. Is it just me or does the graphic/picture not match up to the details written though? Shouldn't the 0064 key be labeled Install and the 0065 key be labeled First Install?

    ReplyDelete
    Replies
    1. Wow, 5 years and this is the first time someone has noticed this! Yes, this needs a resolution. The problem is 9/10 times the values of Install & First Install are the same, so I need to find a good sample to test!

      Delete
  7. Sorry for replying to an old post, but I'm stuck on a big project and your post has gotten me as close as I've been so far in solving a critical R&D conundrum: how to know when my device was last connected to the computer.

    ... but I'm getting "Access Denied" starting at \Properties.

    I get that I can give myself permission on my own dev machine to read 0066, but what about customers? Isn't there any other way to get last arrived date that doesn't require an escalation of some sort? This needs to work for even the most vanilla of user accounts.

    Thanks, Yogesh!

    ReplyDelete