try search for setupapi.log in the from run
↧
By: poke
↧
By: Ezight
Use a live LINUX CD/DVD Slax,puppy,Knoppix, ETC and you will not have to worry about an OS that records every little thing you do.
↧
↧
By: nithyanandam
What will happen if i delete the setupapi.log from my system and copy the setupapi.log from another system in the network ?
↧
By: USB Device Not Recognized - Android Forums
[...] It's a problem with Windows where the hardware identifier is recognized as an "unrecognized device". You can resolve it by clearing the USB history, restarting the computer, and plugging in. The following page describes the process, and the registry locations are the same for xp/vista/7. Usual disclaimers about going into the registry, if you're not sure what you're doing, have a professional tech do it for you. One wrong move can render your windows install useless. Delete USB Device History from the Windows Registry (USBSTOR key) and the setupapi.log | Anti-Forens… [...]
↧
By: darkan9el
For anyone else asking, in Vista and Windows7 the setupapi.log file is now called setupapi.dev.log and is located in C:\Windows\inf
↧
↧
By: JohnD
This doesn’t seem to work in Windows 7? Anyone had any luck doing this in Win 7?
↧
By: EM
The registry value is still relevant to Win7, but the setupapilog has changed locations. Two files of interests are: C:\WINDOWS\INF\setupapi.dev.log and C:\WINDOWS\INF\setupapi.app.log.
↧
By: EM
My understanding of the file is that it is simply a log. It is not read for any information. Replacing it or deleting it will not have any adverse affect. If it is deleted, it will be re-created though.
↧
By: EM
Quite right. See http://support.microsoft.com/kb/927521 for more information.
↧
↧
By: Wibbly Bibbs
Deleting it? All that does is remove the pointer from the $MFT metafiles. It is still there until the computer decides to overwrite that section of the hard-drive. Even then the data is sometimes recoverable to an extent.
↧
By: Anonymous
I’ve been suffering with this problem for so long I’d considered changing phones, Deleting the log cured EVERYTHING!
Thank you VERY much!
↧
By: Dave
Windows 7 won’t let me delete HKLM/CurrentControlSet/Enum/USBSTOR/* keys from registry even though I am logged in with administrator account.
It just says “Error while deleting key”.
Any solutions?
↧
By: JD
I can find the registry value, just can’t delete. It won’t allow me to change the permissions.
↧
↧
By: Trilliarc
One should also note that an examiner will also look at LNK files to identify removable devices. LNK files will most likely show the drive letter that was used, last time used, creation time, and also what type of media it was (removable, etc.)
Heres a example:
Link File: xxxxxxxxxxxxx\C\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP59\A0044910.lnk
Link File Offset: 0
Link File Size: 315
File Flags: HASITEMID | ISFILEORFOLDER | HASWORKINGDIRECTORY
File Attributes: ARCHIVE
ShowWindow Value: SW_NORMAL
Created Date: 06/28/05 08:07:26AM
Last Written Date: 06/28/05 10:37:10AM
Last Accessed Date: 06/27/05 05:00:00PM
Volume Label: USB MEMORY
Media Type: Removable
Volume Serial: 9E 95 C3 A1
File Length: 49152
Base Path: E:\xxxxxxxxxxxxxxx.DOC
Working Directory: E:\
These LNK files can also be carved out of unallocated…so make sure you thoroughly WIPE your ASS!
↧
By: himel
if the usbstor folder deleted in xp how can I find it out and how many ways are there to check the history even after deleted?
↧
By: Paul
How I do that on a Linux system – Red Hat?
any command or program?
↧