Technical activity log Windows 11 USB stick removal time?

patrickhenne57Bypatrickhenne57

Hello everyone,

My Philips Moon USB flash drive was stolen in what was possibly about two minutes of inattention (room confidentiality) at a fast-food restaurant. On computers, not a single process runs unnoticed by the device itself. Can someone give me a way to run a program or point me to details in the registry that might be the right way to find out and document for my theft report when the last connection to this so-called mobile device was made?

(1 votes)
Loading...

Similar Posts

Subscribe
Notify of
3 Answers
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
datarescue
datarescue
4 months ago

I’m sorry something happened to you. I hope you didn’t have any sensitive data unencrypted on the stick.

As a rule, a USB stick also leaves traces on your computer that can still be seen after its separation. You can try the Registry or system logs to find references to the last connection of your USB stick.

Here are possible steps:

1. Search in the registry after the USB stick

Windows stores information about connected USB devices in the registry.

Open Registry:

Win + R -> regedit

Navigation to the USB area:

Here you will find a list of all USB mass storage devices that have ever been connected to your PC:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Identify your stick:

  • Search for an entry to your Philips moon– Stick fits. The name can be in the details of the entry or under the manufacturer name.
  • Check the LastWriteTimethat will show you the time of the last change.

Two. Use event display

The Windows event display logs most hardware actions, including the connection of USB devices:

Open event display:

Win + R -> eventvwr

Search Relevant Logs:

Go to Windows Protocols -> System and search for events with the source Kernel PnP or Discipline. These log the connection and removal of USB devices.

You can filter or browse the logs by Event ID 200 (device connected) or 210 (device removed).

3. Use Forensic Tools

If you don’t have enough information about the above, there are specialized tools that can analyze USB activities in detail:

  • USBDeview (by NirSoft): Shows a list of all USB devices ever connected, including serial number, last connection and distance.
  • USBLogView: Logs the activities of USB devices on your system. Here I am no longer sure whether this is historical or only from the installation.
-1
deruser1973
deruser1973
4 months ago

There’s no way to track your stick’s path…

If you were smart, you encoded the files on it…

Otherwise, expect your files to appear somewhere where you don’t want them…

3
guterfrager5
guterfrager5
4 months ago
Reply to  deruser1973

Do you know Nirsoft Utils (nirsoft.net)? You could do that for Windows Logging maybe to be found. The type has all sorts of small programs to get out of Windows, which Microsoft doesn’t want to show at first glance or trouble hiding 😅

I would have done it now USBDeview thought. This allows you to display which devices are connected (at the time when it was first and when last seen) and what kind of device (i.e. like memory, HID, loudspeaker, cell phone etc.

However, it does not show an ID to (at least for non-connected devices) so I don’t know how this should help with proofing because it could be any USB stick;-;

0