I want to automatically alter dates in part of the registry.

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!

Threaded View
I need to scramble the date data in USBSTOR that indicates the date a
USB device was plugged into the computer.

Ideally I want CCleaner to do this.

Has anyone had any experience in doing this?

Help, Peter

Re: I want to automatically alter dates in part of the registry.

Peter Jason wrote:

Quoted text here. Click to load it

Why not just delete the enumeration data for the USB device from the

I don't see anywhere in CCleaner where you can configure it to delete
registry keys or data values under them.  You can include folders/files
to clean or exclude them but you can't specify your own registry items
to clean.

You could use Nirsoft's USBdeview to uninstall USB devices.  I haven't
tested this but I suspect that will delete the enumeration data in the
registry for the uninstalled USB device.  USBdeview has command-line
switches you can use to run it in a script.  You would use one of the
remove parameters to remove the device(s).  

I haven't specifically done this but I suspect you could use Microsoft's
devcon.exe utility.  It's a command-line version of the GUI utility for
Device Manager (devmgmt.msc).  You can uninstall devices using devcon.
"devcon hwids =usb" will show you all the hwids (that you later use in
an uninstall command) for devices in the USB class.  Then use "devcon
remove <hwid>" to remove the device.  If you want to remove all devices
of a class, like all USB devices, use "devcon remove =usb"; however,
that means you remove *all* USB devices, including the [root] hubs
(controllers) and not just the externally plugged in USB devices (thumb
drives, printers, etc).  You would need to do a hardware rescan to
reinstall all your USB devices again, so you really might want to just
remove particular USB devices using their hwids.

If you know which USB and USBSTOR registry keys you want to delete using
a script, you could use reg.exe to add/modify/delete registry keys or
their data items or their values.  For example, you run "reg.exe delete"
with additional parameters to specify what registry keys you want to

Whatever you do while putzing around in the registry, you better save
image backups (not just a registry export) and have bootable rescue
media to restore your host in case you do something massive that results
in an unbootable OS.

Re: I want to automatically alter dates in part of the registry.

Quoted text here. Click to load it

Thanks, I used to do this but when re-attaching the device later I
have to go thru all the "found new hardware" dialogues.   Though I may
have to settle on this later.
Quoted text here. Click to load it

I Have the Nirsoft "USB Deview" and this does a good job of listing
the devices connected and those previously so.   Curiously though is
only gives the last unplug/plugin time for those devices still
connected, and a N/A indication for those that are not.   This USB
Deview" lists many properties such as: "instanceID" and numerous
Quoted text here. Click to load it

I can get to the USB device in the regedit:  EG:

When I expand this there is a "Properties" that denies me access and I
can't override this, even under "permissions".   How does one turn on
these "Permissions" for the whole registry?   This may be why the
Nirsoft Deview can't give the last access time.

I have a book called: "Computer Forensics Hacking Exposed" isbn
978-0-07-162677-8 that implies the data I want is in the
"RegistryKey.txt"  Here is this book's relevant example entry....

Key Name:
Class Name: <NO CLASS>
Last Write Time: 12/15/2008 - 7:33 AM

This gives the access date & time I want for my computer.     How can
I turn on ALL the data in the registry?

I assume there's a similar part of the registry that records the
activities of HDDs too.

Quoted text here. Click to load it

Re: I want to automatically alter dates in part of the registry.

Peter Jason wrote:

Quoted text here. Click to load it

For me, whether the Connected status is No or Yes, the Last Plug/Unplug
datestamp is non-blank.  This is for my printer (connected), headset
(not connected), USB flash drive (not connected), Magicjack USB dongle
(connected), and USB mouse (connected). So maybe that date data isn't
available in your registry for your unconnected-but-still-enumerated USB

I did not see any entries in the USB enumeration data for datestampes.
From http://www.forensicswiki.org/wiki/USB_History_Viewing , that info is
stored elsewhere.  Since this relies on the PnP Manager, maybe that info
won't be there is you disabled that NT service.  Some folks and tweakers
recommended disabling PnP due to [old] security vulnerabilities (e.g.,
http://technet.microsoft.com/en-us/security/bulletin/ms05-039).  While I
have the PnP service enabled (PlugPlay), I do have the UPnP service
(upnphost) disabled that's used for discovery across the network.

From that forensics article and another describing the command-line USP
utility (http://www.tzworks.net/prototype_page.php?proto_id=13 ),
setupapi.log is used for the Create date yet I don't have any setupapi*
logfiles on my computer although USBdeview still shows a Create date.
From that 2nd article, however, it notes the Last Plug/Unplug time is
take from the HKU hive but I haven't the registry entries for those
datestamps.  So I used Zsoft Uninstaller to take a snapshot before and
after plugging in a USB flash drive to see what changed.  The following
registry key got changed in the user hive:

(the "Data" labelled data item is binary but looks to be text)

is what Windows happened to pick
for the ID in my particular setup.  It's also listed (without the
datestamp for plug/unplug) under:


I don't how the linkage works between all these registry entries, there
are so many interdependent entries, and wasn't really that interested to
do further research that you'll have to figure out where they keep the
datestamp info.  I've got some other stuff to do.

Quoted text here. Click to load it
Quoted text here. Click to load it

Typically I right-click on the registry key (not a data item), select
Permissions, select the Everyone or Creator Owner account and give it
full permissions.  Then I can delete the key.

I just did this for a USB flash drive.  I removed it (unplugged),
right-clicked on its registry key under USBSTOR and selected the
Everyone account, enabled full control, and deleted the key.  It
disappeared from the registry (the delete worked).  When I plug the
device back in, I get the "found new hardware" popup because, well, the
device wasn't enumerated anymore.  The info previously recorded for it
was gone so it had to recreate the enumerated registry key for it.

Quoted text here. Click to load it

As I said, I gave up trying to figure out where the datestamp info is
held in the registry.  It isn't part of the enumeration data used to
define the device.  It's somewhere on how and when the device got used.

Quoted text here. Click to load it
Quoted text here. Click to load it

Yet if you look in the key under USBSTOR for that USB flash drive then
you find no data item whose name indicates it holds a datestamp.  So
where does the "Last write time" info come from?

http://eptuners.com/forensics/contents/examination.htm#The Registry as a Log:

Mentions a LastWrite value associated with registry keys that show when
they were last updated.  I don't think you're going to see that using
regedit.exe which is a basic tool to show you in text the binary
contents of the database for the registry.  There are lots of things
about the registry that regedit.exe won't show you.  There are, for
example, keys that aren't for you to modify even as an admin.

That article mentions a utility to see the write (modified) datestamp of
a registry key.  On a whim, I used Nirsoft's Registry Scanner.  After it
shows some matching results in a search, you can right-click on one of
them to see its properties - of which one property is the Key Modified
Time.  Well, if this datestamp is a normal invisible property (unless
you use the registry API to get record info) then deleting the registry
key should eliminate finding any datestamp for it.

You are using viewers to look into the binary database call the
registry.  So what you get to see is what the viewer chooses to show
you.  Some show more than others.  There still is info in the registry
that requires using the registry API in Windows to see all information
within the database, like record age, record length, and so on.  I don't
think you want to learn the Windows registry API to write up your own
program to find out everything about the registry and each record within
it, but if you do you can start here:


Instead you, I, and other users wanting to dig further into the registry
beyond what regedit.exe provides have to look at forensic tools that did
all that work for us.

So it looks like you're stuck with deleting the USB or USBSTOR registry
keys for a device to eliminate the last write or last plug time.  That
means when you plug the device in next time that there is no enumeration
data for it and you'll have to go through the "found new hardware"
wizard again.

Site Timeline