Tracing USB Device artefacts on Windows XP operating system for forensic purpose Abstract
- 格式:pdf
- 大小:278.93 KB
- 文档页数:9
inaccessible boot device 的高级回答[inaccessible boot device 的高级回答]引言:在使用Windows操作系统时,可能会遇到各种错误提示,其中一个常见的错误是"inaccessible boot device"。
这个错误通常意味着系统在启动过程中无法访问引导设备,导致无法正常启动计算机。
本文将为您提供一个高级回答,以解决这个问题并恢复系统的正常运行。
第一步:检查硬件连接1. 关闭计算机,并断开电源插头。
2. 打开计算机主机壳体,检查硬盘和数据线的连接是否良好。
确保数据线插头没有松动。
3. 如果是使用SATA接口的硬盘,请尝试更换数据线或更换一个可靠的SATA插槽。
4. 如果是使用IDE接口的硬盘,请确保主、从设备选择正确,并检查IDE 数据线是否连接正常。
第二步:检测硬盘故障1. 在关闭计算机的情况下,重新启动,并进入BIOS设置界面。
不同品牌和型号的计算机进入BIOS设置的方法可能不同,一般是按下Del、F2、F10或者F12键。
2. 在BIOS设置界面,找到"Boot"或"Boot Device"选项,并确保硬盘作为第一引导设备设置。
如果找不到这个选项,请查看主板说明书或联系计算机制造商获取更具体的指导。
3. 保存设置并退出BIOS,观察系统是否能够正常启动。
如果问题依然存在,可能需要进行硬盘故障检测。
4. 可以使用硬盘自检工具,如WD Data Lifeguard Diagnostic、Seagate SeaTools等,对硬盘进行全面检测。
这些工具可以在硬盘制造商的官方网站上免费下载。
第三步:修复引导记录1. 如果硬盘没有故障,可以尝试使用Windows恢复环境修复引导记录。
2. 使用Windows安装盘或恢复盘启动计算机。
将光驱设置为首次启动设备,并将Windows光盘插入光驱。
电脑开机蓝屏重启安全模式进不去怎么办windows系统的电脑蓝屏了,而且安全模式也进不去,怎么办呢?下面是店铺为大家整理的关于电脑开机蓝屏重启安全模式进不去的相关资料,希望对您有所帮助!电脑开机蓝屏重启安全模式进不去的解决方法第一步:下载、安装制作U盘启动器的软件,如:老毛桃、大白菜等。
百度搜索输入:大白菜下载,找到:大白菜超级u盘启动盘制作工具最新官方版下载_百度软件中心,下载后找到下载的安装软件按照提示安装。
(注意:第一步和第二步必须在另一电脑上完成操作)第二步:制作USB启动盘。
把准备好的U盘插入电脑,左键双击系统桌面上的【大白菜UEFI 版】图标,在打开的大白菜窗口的【默认模式】下点击:一键制作启动U盘;弹出信息提示对话框:警告: 本操作将会删除 D: 盘上的所有数据,且不可恢复。
若想继续,请单击“确定”。
若想退出,请单击“取消”。
如果U盘中有必须保存的资料,先转移到电脑中。
我们点击:确定;开始制作U盘启动盘,稍候;再次弹出信息提示对话框:一键制作启动U盘完成!要用“电脑模拟器”测试U盘的启动情况吗?注意: 模拟器仅作启动测试,建议不要测试PE等工具!点击:是(Y);当出现下图时表明U盘启动盘制作成功。
第三步:修复故障电脑蓝屏提示inaccessible boot device(无法启动装置)的问题。
把制作好的U盘启动盘插入故障电脑,开机后进入BIOS设置电脑从U盘启动。
设置方法可参考百度经验《U盘安装系统出新招,多系统安装有保障》;进入BIOS按键可参考下图:U盘安装系统出新招,多系统安装有保障进入大白菜安装系统界面后,点击我的电脑(计算机),依次进入系统盘\Windows\System32\config\Rggback,右键点击:SYSTEM,在右键菜单中点击:复制(C);退回到config文件夹窗口,右键点击空白处,在右键菜单中点击:粘贴(如果出现提示是否覆盖原有的SYSTEM,选择“是“。
电脑提示窗无法识别的USB设备,电脑无法识别USB解决方法(Computer prompt window unrecognized USB device, computer cannot recognize USB solution)Computer prompt window "unrecognized USB device", computer cannot recognize USB solution[solutions]:Scenario 1:1, click start, right-click My computer, select management, and select the device manager in the pop-up window.2. Double click the "universal serial bus controller" project to unload all of the following grey items and USB large capacity storage devices,3, right click the "universal serial bus controller" project, pop-up drop-down menu, select "scan, check the hardware changes.".4 unplug the USB device and plug it in again. Is the attempt recognizable?.Scenario two:1, refer to the above steps to find the "universal serial bus controller", open, find the "USB Root Hub" project, right-click the property open.2, open the properties window, switch to the power management tab, remove the "allow the computer to shut down this device to save power", click the OK button (in turn, each USB Root Hub properties to modify)3, after the device is complete, restart the computer to try.4, or if not, you can uninstall USB Root Hub,5, restart after uninstall. Plug in your USB device and try again.Scenario three:1, click start, click Run commands in the open box type "regedit" command, click "OK" button in the pop-up in the registry editor, according to the path, in order to open.HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{4D36E 967-E325-11CE-BFC1-08002BE10318}2, in the right window, delete the "UpperFilters" and "LowerFilters" key values, delete, restart the computer and plug in your USB device.[Win7 solutions][problem description]:The USB device is not recognized[solutions]:Scenario 1:1, click start, right-click the computer, select management, and select the device manager in the pop-up window.2. Double click the "universal serial bus controller" project to unload all of the following grey items and USB large capacity storage devices,3, right click the "universal serial bus controller" project, pop-up drop-down menu, select "scan, check the hardware changes.".4 unplug the USB device and plug it in again. Is the attempt recognizable?.Scenario two:1, refer to the above steps to find the "universal serial bus controller", open, find the "USB Root Hub" project, right-click the property open.2, open the properties window, switch to the power management tab, remove the "allow the computer to shut down this device to save power", click the OK button (in turn, each USB Root Hub properties to modify)3, after the device is complete, restart the computer to try.4, or if not, you can uninstall USB Root Hub5, restart after uninstall. Plug in your USB device and try again.Scenario three:1, click start, click Run commands in the open box type "regedit" command, click "OK" button in the pop-up in the registry editor, according to the path, in order to open.HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlClass{4D36E 967-E325-11CE-BFC1-08002BE10318}2, in the right window, delete the "UpperFilters" and "LowerFilters" key values, delete, restart the computer and plug in your USB device.The computer cannot recognize the USB fault analysis solution.。
inaccessible boot device 的高级回答-回复[Inaccessible Boot Device 的高级回答]Inaccessible Boot Device是一个出现在Windows操作系统中的常见错误。
它表明根据系统配置,Windows无法访问或读取启动设备的一部分。
当您遇到这个错误时,您将看到蓝屏并且系统无法启动。
在这篇文章中,我将带您逐步了解Inaccessible Boot Device错误并提供解决方案。
第一步:了解Inaccessible Boot Device错误Inaccessible Boot Device错误通常发生在以下情况下:1. 升级或安装了新的硬件设备。
2. 安装了新的驱动程序或更新了现有的驱动程序。
3. 引导配置文件发生了错误。
4. 损坏的硬盘驱动器或存储控制器。
第二步:重启并检查硬件连接首先,尝试重启您的计算机。
这可以解决某些临时的硬件连接问题。
确保硬盘连接线和电源线都连接牢固无误,并检查其他硬件设备(如RAM 条和显卡)是否正确安装。
第三步:排除驱动程序问题1. 如果您最近安装了新的硬件设备,请将其断开并重新启动计算机。
如果错误消失,那么问题可能是这个设备的驱动程序引起的。
在这种情况下,尝试更新或重新安装相关驱动程序。
2. 如果您最近安装了新的驱动程序或更新了现有驱动程序,请尝试进入安全模式。
在安全模式下,系统只加载必需的驱动程序,这可以帮助您确定是哪个驱动程序引起了问题。
在安全模式下,打开“设备管理器”并卸载最近更新的驱动程序。
第四步:修复引导配置文件1. 启动计算机并进入BIOS设置。
您可以按下计算机启动时显示的提示键打开BIOS设置页面。
2. 在BIOS设置中,找到“启动顺序”或“引导选项”。
确保硬盘是首选引导设备,并将其移动到列表的顶部。
3. 如果您在BIOS设置中找不到硬盘,请尝试重新连接硬盘或更换数据线。
4. 如果您使用的是UEFI引导模式,请尝试禁用安全引导功能。
inaccessible boot device的解决方法"Inaccessible Boot Device" 是Windows 操作系统中的一个蓝屏错误(Blue Screen of Death, BSOD)。
这个错误通常表示Windows 无法访问系统启动设备,这可能是由于硬件或软件问题引起的。
以下是一些可能的解决方法:1. 检查硬件连接:-确保硬盘驱动器(HDD 或SSD)的数据和电源连接都正常。
可以尝试重新插拔数据和电源线。
-如果是桌面计算机,确保数据和电源线连接到主板上的正确SATA 端口。
2. 检查硬盘状态:-使用Windows 安装媒体或从其他计算机启动的可引导USB 驱动器进入修复环境。
-打开命令提示符(Command Prompt)并运行CHKDSK 命令来检查和修复文件系统错误。
```bashchkdsk /f /r C:```其中"C:" 是系统分区的盘符,根据实际情况更改。
3. 检查驱动程序问题:-如果最近安装了新硬件或更新了驱动程序,尝试回滚到之前的稳定版本。
-在安全模式下启动系统,禁用最近添加的硬件或驱动程序,看看问题是否解决。
4. 修复启动记录:-使用Windows 安装媒体进入修复环境,然后打开命令提示符。
-运行以下命令以重建启动记录:```bashbootrec /scanosbootrec /rebuildbcdbootrec /fixmbrbootrec /fixboot```5. 检查磁盘控制器模式:-在BIOS/UEFI 设置中,检查磁盘控制器模式是否正确设置为AHCI 或RAID,具体取决于系统配置。
不同模式可能会导致启动问题。
6. 最后的手段-重装Windows:-如果上述方法都无效,可能需要考虑重装Windows。
确保在此之前备份重要数据。
请注意,进行这些操作时要小心,确保了解正在执行的操作,以免造成数据丢失或其他问题。
VMware USB Arbitration Service无法启动的解决方案问题描述:常用VMware虚拟机的童鞋们有事应该遇到这种情况,就是装完VMware,启动时VMware下面会有个黄框中有“USB disabled...”之类的提示。
当在虚拟机里装完系统后,一切皆正常。
除了插入USB设备不设别外!到本地电脑的服务里面查看VMware的USB服务时,显示的是“自动”,但是却没有自动启动,手动启动的时候提示“VMware USB Arbitration Service无法启动,出现错误31:连接到系统上的设备没有发挥作用”,重装虚拟机乃至重装电脑都不能解决问题,是不是非常抓狂啊!?下面我就给出解决方案!问题原因:AMD主板驱动的在搞怪。
问题解决:卸载AMD主板驱动的USB过滤器。
具体方法:方法一:1.进入Windows的控制面板中的“添加删除程序”2.找到“ATI Catalyst Install Manager”,右击选择更改3.选择下一步4.选择“卸载管理器”,然后选择下一步5. 选择自定义,然后选择下一步6.随后会出来三个选项,在“选择要卸载的组件”之中,选中“USB过滤器”7.最后,一路下一步下载后就OK啦。
然后到系统服务下面手动启动VMware 的USB看看,是不是可以正常启动啦!方法二:开始——运行——输入regedit来打开Windows注册表,找到:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Class\{36FC9E60-C 465-11CF-8056-444553540000}.删除UpperFilter的值。
找到:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\删除usbfilter。
(不过这一步也可不做)删除 %system32%\drivers\usbfilter.sys重启系统后应该就OK了。
跟这台计算机连接的一个USB设备运行不正常,Windows无法识别问题描述:用集线器(hub)连接电脑,android设备连接接线器,今天早上打开电脑和项目突然爆出错误:跟这台计算机连接的一个USB设备运行不正常,Windows无法识别该设备已被禁用,原因是,设备的固件没有提供必需的资源。
(代码 29)重启了设备电脑都没有解决问题,换个USB接口也不行。
解决方案:把集线器的USB接口拔掉重连。
原因:电压不稳定所致。
2019.4.4 电脑又出问题了,还是这个问题,采取了下面方案一解决了,不知是暂时的还是永久的。
方案一1.点击开始,右键我的电脑,选择资源管理器,在弹出的窗口中选择设备管理器。
2.双击“通用串行总线控制器”项目,将所有灰色项目和USB大容量都卸载掉3.右击“通用串行总线控制器”项目,弹出的下拉菜单选择“扫描检查硬件改动”。
4.拔掉USB设备,然后再重新插上,尝试是否可识别。
方案二1.找到“通用串行总线控制器”,打开,找到“USB ROOT HUB”项目,右键打开属性。
2.打开的属性窗口切换到“电源管理”选项卡,去掉“允许计算机关闭此设备以节约电源”,单击“确定”按钮(依次对每个USB ROOT HUB的属性进行修改)3.设备完毕后,重启电脑进行尝试。
4.如果还是不行,你可以在卸载USB ROOT HUB。
5.卸载后重启。
插拔你的USB设备,再次进行尝试。
方案三1.单击“开始”菜单,单击“运行”命令,在打开框中键入“regedit”命令,单击“确定”按钮,在弹出的注册表编辑器中,按照面的路径,依次打开。
2.在右侧窗口删掉“upperFilters”键值,删除后重启电脑并插拔你的USB设备。
2019.4.8 仍然没有解决该问题,有同事说是电脑主机的问题,电压方面的,不太懂,难道要换主机?如何解决这台计算机连接的前一个USB设备不正常经过千辛万苦,又找到该篇文章,用第一种方法完美解决。
不过有所不同,我把所有的USB接口都设置为“不允许关闭电源。
WIN7 虚拟机的连接设置问题1.首先是笔记本没有串口的输出线,需要用USB转串口,在这里,要保证虚拟机能识别USB口,而我的虚拟机找不到USB的标记,如图所示:。
所以不知道如何把USB显示到虚拟机里面,我的系统是win7,虚拟机是ubuntu是10.10的系统解决方案:具体步骤:1.点击开始->运行,在对话框中输入"services.msc",确定,打开windows服务管理器。
2.在服务列表中选中"VMware USB Arbitration Service",双击打开属性对话框,再选择"启动",就能启动VMware USB Arbitration Service服务了。
如图所示:3.关闭VMware软件,并重新打开,启动一个虚拟机,进入系统之后VMware就会提示发现USB设备。
如果要在虚拟机中使用这些USB设备(以USB摄像头为例),在VMware的菜单栏中选择VM->Removable Devices->Pixart Imaging CIF Single Chip->Connect (Disconnect form host) ,就可以了。
当然,这样USB设备在连接到虚拟机的同时会断开同主机(一般为Windows系统)的连接。
如果想重新在主机上使用USB设备,则在VMware菜单栏中选择VM->Removable Devices->Pixart Imaging CIF Single Chip->Disconnect (Connect to host) 。
另外补充一点:如果是AMD平台的机器,有可能会出现无法启动VMware USB Arbitration Service服务,这是AMD主板驱动中的"USB过滤器"所导致的。
解决办法是:在AMD主板驱动中,选择"A TI catalyst管理器",里面有选择"usb 过滤管理器",将其卸载之后即可启动VMware USB Arbitration Service服务。
电脑开机提⽰USBDeviceOverCurrentstatusdetected解决
⽅法
你的电脑是否⼀开机就显⽰“USB Device Over Current status detected!!,Sysyem Will shut down after 15 Seconds”,导致电脑⽆法正常开机,进⼊不了桌⾯。
那么遇到这种情况该怎么解决呢?这⼀串的提⽰⼤致意思是检测到USB 设备过流状态,系统将在15秒后关闭。
跟⼩编看看解决⽅法吧。
故障原因及解决⽅法:
1、USB键盘或USB⿏标进⽔了,或者某个USB设备短路导致,例如U盘、移动硬盘、键盘⿏标、USB摄像头、USB⽿机、USB延长线等USB设备,拔掉电脑主机上所有的USB设备,将电脑开机测试是否可⾏,这种情况解决⽅法只要把USB设备逐⼀拔掉,并电脑重启查看是否可以正常开机,即可排查出到底是哪个USB设备坏了。
2、前置USB接⼝损坏或桌⾯开关USB接⼝损坏导致,电脑关机操作,打开电脑主机机箱,拔掉主板上的前置USB连接线,包括USB2.0或者USB3.0/3.1等,放个电试试,将主板上的纽扣电池取出来,放置5-10分钟后再安装回去试试。
3、主板⾃⾝的USB模块或者芯⽚坏了,只有送修了。
以上就是装机之家分享的电脑开机提⽰“USB Device Over Current status detected”的解决⽅法,希望本⽂能够帮助到⼤家。
usb识别为未知设备设备描述符请求失败的解决方法当我们将USB设备连接到计算机时,通常会自动识别并安装驱动程序。
然而,有时候我们可能会遇到USB设备被识别为未知设备,设备描述符请求失败的问题。
这个问题可能出现在Windows、Mac或Linux系统中。
在本文中,我将介绍一些可能的解决方法来解决USB设备被识别为未知设备的问题。
1.检查USB连接和设备首先,要确保USB设备的连接良好。
可以尝试重新插拔设备,或者用不同的USB端口进行尝试。
有时候,USB接口可能损坏或松动导致设备无法正常工作。
另外,如果使用的是USB扩展坞、集线器或分线器,也可以尝试直接连接到计算机来排除这些设备可能引起的问题。
2.更新驱动程序设备描述符请求失败的原因可能是由于计算机没有正确的驱动程序来识别USB设备。
因此,尝试更新设备的驱动程序是解决问题的第一步。
可以通过以下步骤来更新驱动程序。
a.打开“设备管理器”b.在设备管理器中找到未知设备,通常可以在“通用串行总线控制器”或“其他设备”下找到。
c.鼠标右键点击未知设备并选择“属性”d.在属性窗口中,点击“驱动程序”选项卡e.选择“更新驱动程序”以自动搜索可用的驱动程序,或者选择“浏览计算机以查找驱动程序”以手动选择和安装驱动f.如果驱动程序已经是最新的,那么可以尝试卸载设备并重新启动计算机,让系统重新安装驱动程序。
3.禁用电源管理功能电源管理功能可能会导致USB设备无法正常工作。
尝试禁用电源管理功能可以解决USB设备被识别为未知设备的问题。
a.打开“设备管理器”b.在设备管理器中找到未知设备c.鼠标右键点击未知设备并选择“属性”d.在属性窗口中,点击“电源管理”选项卡e.取消勾选“允许计算机关闭此设备以节省电源”选项f.点击“确定”保存更改,并重新启动计算机。
4.清除USB驱动程序缓存USB驱动程序缓存可能会导致设备描述符请求失败的问题。
清除USB驱动程序缓存可以解决这个问题。
如何解决Windows系统的USB设备问题Windows操作系统作为全球最广泛使用的操作系统之一,其对USB 设备的兼容性十分优秀。
然而,在使用USB设备过程中,用户仍然可能会遇到一些问题。
本文将探讨如何解决Windows系统的USB设备问题,并提供一些实用的解决方法。
1. 检查硬件连接首先,当你发现USB设备无法正常工作时,要确保设备已正确连接到计算机的USB端口。
可以尝试将设备插入其他USB端口,以确保问题不是由于端口故障造成的。
同时,还要检查USB连接线是否完好,避免因线路松动或损坏而导致设备无法正常使用。
2. 更新驱动程序驱动程序是使设备与操作系统正常通信的关键组件。
在Windows系统中,USB设备驱动程序通常会自动安装,但有时可能会出现问题。
为了解决这个问题,可以尝试手动更新USB设备的驱动程序。
步骤如下:1) 右键点击“我的电脑”或“此电脑”,选择“管理”。
2) 在“计算机管理”窗口中,点击左侧面板的“设备管理器”。
3) 找到“通用串行总线控制器”下的USB设备,右键点击,选择“更新驱动程序软件”。
4) 在弹出的窗口中,选择“自动搜索更新的驱动程序软件”。
5) 如果系统自动检测到更新的驱动程序,按照提示进行安装。
3. 卸载和重新安装USB设备如果驱动程序更新无效,可以尝试卸载USB设备并重新安装。
步骤如下:1) 进入设备管理器(参考第2点),找到要卸载的USB设备。
2) 右键点击该设备,选择“卸载设备”。
3) 在弹出的窗口中,选择“删除驱动程序软件”。
4) 拔下USB设备后,重新插入计算机的USB端口,等待系统自动重新安装驱动程序。
4. 清除USB驱动缓存在某些情况下,旧的USB驱动缓存可能会导致设备无法正常工作。
通过清除USB驱动缓存,可以解决一些与驱动程序相关的问题。
步骤如下:1) 打开命令提示符(点击开始菜单,搜索“命令提示符”)。
2) 在命令提示符窗口中,输入以下命令并按下回车键:net stop usbhubnet stop usbstornet stop usbccgpnet stop usbuhcinet stop usbprintnet start usbhubnet start usbstornet start usbccgpnet start usbuhcinet start usbprint3) 关闭命令提示符。
usb重定向「usb重定向功能已禁用」分辨率不对首先判断是所有高拍仪拍照模糊,还是单台出现模糊现象,如果是所有高拍仪出现这类情况,需要检查策略如果是单台高拍仪,检查高拍仪的分辨率设置编辑策略,使用USB端口重定向开启高级设置调整摄像头最大宽度最;不能实现在显示的同时输出到文本只能二选其一如果要实现输出到文本的话,可以使用重定向操作符c\ping_resulttxt如果想要在atxt文件中追加的话,用下面这行命令c\ping_。
倘若计算机系统可以正常发现其他USB设备,就要考虑打印机的驱动程序是否安装正确,例如打印机驱动程序版本可能比较陈旧,或者在安装驱动程序时,不小心带上了病毒等,都有可能导致打印机无法正确安装此时,你不妨用最新版本的杀毒工具,来对计算机。
usb重定向器客户端1、无法开机原因分析 1,先检查BIOS中的设置,如果USB设备引导在硬盘引导前的话,在硬盘还没有引导时,会从USB设备引导而USB接口上连接的U盘或者移动硬盘没有可引导的操作系统,在引导时会卡在加载系统的地方不动,造成无法。
2、可以重定向一些 USB 设备,而且可以重定向剪贴板重定向设备和资源的步骤通过单击开始按钮,打开远程桌面连接在搜索框中,键入远程桌面连接,然后在结果列表中单击“远程桌面连接”单击“选项”,然后单击“本地资源。
3、虚拟机是不兼容加密狗的,但可以基于EastFax USB Server实现远程连接加密狗,把加密狗插在一个USB服务器的设备上,虚拟机就能检测到加密狗了。
4、USB的可以安装的,现在云电脑都有USB重定向的,可以直接使用的把驱动安装好就行若磐回答,希望可以帮到你。
5、错误代码通常表示iTunes无法通过端口80或443联系服务器这可能是由于受到过期或配置不正确的安全软件或防火墙软件的干扰hosts文件中的某一条目重定向对的请求,或由于Internet代理设置所致另外,当。
6、串口助手当然可以正点原子里面有串口初始化的例程你在打印的时候,为了保证你可以看见,建议你写在死循环中。
Win7系统下Vmware虚拟机无法使用USB设备问题的解决方法Windows7发布后,Vmware也推出了新版的Vmware Workstation 7和Player 3,从功能上为Win7进行了优化。
近日QQ上有一MM提到她的Vmware中安装的XP虚拟机只能检测到连上的USB设备(比如U盘,加密狗、手机之类),而无法加载到虚拟机中使用,虚拟机中没有USB设备的盘符。
Google一下发现这似乎是一个普遍的问题,在Win7系统下使用Vmware虚拟机的有很多类似的情况(如果是XP或者Vista主机系统都没有这种问题出现),Vmware的官方社区论坛里面也有不少有关的帖子,看来Vmware WS7和Win7多少还是有一些兼容性方面的问题。
根据网上的一些资料总结了一些可能造成此问题的原因,如下:1、检查主机系统中VMware USB Arbitration Service能否正常启动(我的电脑右键菜单-》管理-》服务)。
如果出错无法启动,那原因有两种情况:(1)AMD平台的主板芯片组安装的USB Filter驱动会阻止USB Arbitration Service的加载,卸载此USB过滤驱动后问题解决;(2)如果系统安装过索爱的手机PC套件,那么有一个索爱seehcri control Service也会影响USB服务的启动,从设备管理器中卸载此索爱seehcri control Service后问题解决。
2、如果主机系统中VMware USB Arbitration Service能够正常启动,右键点击右下角的存储设备的图标手动连接一下,看看是不是可以。
如果还是不行,那么有可能是Win7限制了Vmware取得USB设备的控制权造成的此问题(会出现以下错误:The VMware USB Arbitrator returned error code 4.)可以按以下图解步骤操作试试能否解决此问题:(1)把USB设备(以U盘为例)连接到主机,然后打开系统设备管理器:(2)找到U盘设备,双击打开属性页(以下都是以鼠标为例的,实际应该是接上U盘后选识别出的U盘):找到对应的设备类GUID,复制下来备用;(3)开始菜单中输入gpedit.msc打开组策略管理器,定位到如图的系统策略,双击”阻止使用于下列设备安装程序相匹配的驱动程序安装设备“:(4)选上”已启用“,然后点显示按钮:(5)输入刚才复制下来的GUID,一直点确定退出组策略管理器。
最近要用到UBUNTU开发一个东西,所以在VMware Workstation下进行安装,但是去提示Host USB device connection disabled。
即虚拟机不能识别出USB设备。
如图:
它是英文提示是说:连接到主机的VMware的USB仲裁服务没有成功启动,请在Microsoft 管理工具里检查这项服务的启用状态。
然后我们按住win+R即在开始菜单的运行项,在里面输入services.msc启动服务,然后可以见到VMware USB Arbitration Service虽然是自动运行模式,但是并没有启动,于是我们点击启动就可以了。
(或者进入控制面板,管理工具,服务,找到“vmware Usb arbitration server"启动这个服务,重新启动vmware,就可以了。
)
但是我的还是不行,并提示我如下图:
也就是说Windows也无法启动这个服务。
这是由于家里的电脑是基于ATI+AMD,主要是它的ATI显卡平台的,安装了AMD South Bridge Driver,如图:
原来是这个软件把USB给过滤掉了。
现在我们取消安装,在卸载里面把它卸掉。
然后我们重新回到刚才的那个windows服务项中,手动到启用VMware USB Arbitration Service服务。
即可。
前几日安装了Windows7,不过vmware虚拟机安装之后却无法使用usb。
软件是官方原版,vmware tools也安装好,开始以为是版本低了,就从7.0.0升级到7.0.1,仍然不可用,后又降为6.5.3仍然不行。
查询百度,google,发现很多人都有类似问题,有人说单击「开始」,单击“开始搜索”框,键入services.msc,然后按Enter。
找到服务里面的VMware USB Arbitration Service
手动将它启动即可
不过人弹出提示说服务无法启动
又有人说是和AMD主板驱动的USB过滤器冲突,卸载即可,于是在“设备管理器”还有“卸载或安装程序”里都没有找到USB过滤器的影子。
无奈重装Windows7还是不行,几乎抓狂。
后来发现终于发现USB过滤器所在!
打开“卸载或安装程序”
找到“ati catalyst install manager”
鼠标右键选择“更改”
点开之后下一步
选择“卸载管理器”
下一步
如果windows弹出提示,允许即可
选择“自定义”,下一步
终于发现“usb 过滤器”!
勾选它,其他的不要勾选。
点下一步,卸载它
重启计算机后发现vmware可以访问优盘了!!。
⽤win32API监听U盘插拔并取得其盘符取得当前插⼊U盘的盘符版权声明:本⽂为博主原创⽂章,未经博主允许不得转载。
⽤win32 API监听U盘插拔并取得其盘符1.使⽤RegisterDeviceNotification()函数注册[cpp]01. static const GUID GUID_DEVINTERFACE_USB_DEVICE =02. {0xA5DCBF10, 0x6530, 0x11D2, {0x90, 0x1F, 0x00, 0xC0, 0x4F, 0xB9, 0x51, 0xED}};03.04. void RegisterDeviceNotify()05. {06. HDEVNOTIFY hDevNotify;07. DEV_BROADCAST_DEVICEINTERFACE NotificationFilter;08. ZeroMemory( &NotificationFilter, sizeof(NotificationFilter) );09. NotificationFilter.dbcc_size = sizeof(DEV_BROADCAST_DEVICEINTERFACE);10. NotificationFilter.dbcc_devicetype = DBT_DEVTYP_DEVICEINTERFACE;11. NotificationFilter.dbcc_classguid = GUID_DEVINTERFACE_USB_DEVICE;12. hDevNotify = RegisterDeviceNotification(hWnd, &NotificationFilter, DEVICE_NOTIFY_WINDOW_HANDLE);13. }2.在WndProc()函数中接收WM_DEVICECHANGE消息[cpp]01. LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)02. {03. switch(message)04. {05. case WM_DEVICECHANGE:06. return DeviceChange(message, wParam, lParam);07. }08.09. return DefWindowProc(hWnd, message, wParam, lParam);10. }3.处理接收到的WM_DEVICECHANGE消息01. char FirstDriveFromMask(ULONG unitmask)02. {03. char i;04.05. for (i = 0; i < 26; ++i)06. {07. if (unitmask & 0x1)08. break;09. unitmask >>= 1;10. }11.12. return (i + 'A');13. }14.15. LRESULT DeviceChange(UINT message, WPARAM wParam, LPARAM lParam)16. {17. if ( DBT_DEVICEARRIVAL == wParam || DBT_DEVICEREMOVECOMPLETE == wParam )18. {19. PDEV_BROADCAST_HDR pHdr = (PDEV_BROADCAST_HDR)lParam;20. if (pHdr->dbch_devicetype == DBT_DEVTYP_VOLUME)21. {22. PDEV_BROADCAST_VOLUME pDevVolume = (PDEV_BROADCAST_VOLUME)lParam;23. char driverLabel = FirstDriveFromMask(pDevVolume->dbcv_unitmask);24. if (wParam == DBT_DEVICEARRIVAL) {25. printf("add %c\r\n", driverLabel);26. } else {27. printf("remove %c\r\n", driverLabel);28. }29. }30. }31. return 0;32. }⽤win32 API取得当前插⼊U盘的盘符1.使⽤取得代表各分区的掩码[cpp]01. DWORD mask = GetLogicalDrives();2.遍历掩码的每⼀位,判断对应的分区是否是U盘01. bool IsUsbDevice(wchar_t letter)02. {03. wchar_t volumeAccessPath[] = L"\\\\.\\X:";04. volumeAccessPath[4] = letter;05.06. HANDLE deviceHandle = CreateFile(07. volumeAccessPath,08. 0, // no access to the drive09. FILE_SHARE_READ | // share mode10. FILE_SHARE_WRITE,11. NULL, // default security attributes12. OPEN_EXISTING, // disposition13. 0, // file attributes14. NULL); // do not copy file attributes15.16. // setup query17. STORAGE_PROPERTY_QUERY query;18. memset(&query, 0, sizeof(query));19. query.PropertyId = StorageDeviceProperty;20. query.QueryType = PropertyStandardQuery;21.22. // issue query23. DWORD bytes;24. STORAGE_DEVICE_DESCRIPTOR devd;25. STORAGE_BUS_TYPE busType = BusTypeUnknown;26.27. if (DeviceIoControl(deviceHandle,28. IOCTL_STORAGE_QUERY_PROPERTY,29. &query, sizeof(query),30. &devd, sizeof(devd),31. &bytes, NULL))32. {33. busType = devd.BusType;34. }35.36. CloseHandle(deviceHandle);37.38. return BusTypeUsb == busType;39. }40.41. // 查找U盘42. // 参数: _letter 存储U盘盘符43. // 返回值:true 当前有U盘44. // false 当前⽆U盘45. bool findUSBStorage(char* _letter)46. {47. DWORD mask = GetLogicalDrives();48. int count = 0;49. while (mask != 0)50. {51. if ((mask & 0x01) == 1)52. {53. wchar_t letter = L'A' + count;54.55. // 判断取得的盘符是否是U盘56. if (IsUsbDevice(letter))57. {58. wcstombs(_letter, &letter, 1);59. return true;60. }61. }62. count++;63. mask = mask >> 1;64. }65. return false;66. }。
usb识别为未知设备设备描述符请求失败的解决方法USB设备被识别为未知设备或设备描述符请求失败是一种常见的USB连接问题,它可能导致设备无法正常工作。
这种问题通常出现在Windows操作系统上,但也可能在其他操作系统上发生。
在遇到这种问题时,用户可以尝试一些解决方法来修复USB设备的识别问题。
下面我们将介绍一些常见的解决方法,希望能够帮助你解决USB设备未被识别的问题。
1.重新插拔USB设备当USB设备被识别为未知设备或设备描述符请求失败时,首先要尝试的是重新插拔USB设备。
有时由于连接问题或设备驱动程序问题,USB设备可能无法正确地被识别。
这时,将USB设备从电脑上拔下,然后再重新插上,可能会解决该问题。
在重新插拔USB设备之前,建议先关闭电脑,并点亮USB设备确保其断电状态,然后再进行插拔操作。
2.更换USB端口USB设备被识别为未知设备或设备描述符请求失败可能是由于USB 端口损坏或出现连接问题导致的。
因此,你可以尝试将USB设备插入另外一个USB端口,看看是否能够解决该问题。
如果USB设备能够在其他USB端口上正常工作,那么问题很可能是由于原来的USB端口出现了问题。
3.更新驱动程序设备描述符请求失败可能是由于设备驱动程序问题导致的。
检查你的USB设备是否配备了最新的驱动程序,如果没有,你可以尝试更新USB设备的驱动程序。
在Windows操作系统上,你可以通过设备管理器来更新设备驱动程序。
右击“此电脑”或“计算机”图标,选择“管理”,然后打开“设备管理器”,找到出现问题的USB设备,右击该设备,选择“更新驱动程序软件”,然后按照提示进行操作。
4.卸载并重新安装USB设备有时,USB设备的驱动程序可能出现问题,导致设备不能正常被识别。
你可以尝试先卸载USB设备的驱动程序,然后重新安装驱动程序来解决该问题。
在设备管理器中找到USB设备,右击该设备,选择“卸载设备”,然后重新插拔USB设备,系统会自动重新安装驱动程序。
配置USB设备过滤器和重定向人机接口设备(HID)的View Client中(1011600)目的本文提供人机接口设备没有被重定向为标准的做法是VMware View,以及如何得到,如果需要它们来重定向信息。
默认情况下,查看客户端的Windows不包括从配置重定向下拉菜单中的某些设备:•人机接口设备(HID),如USB键盘,鼠标和身份验证令牌•这是搭配一个HID任何蓝牙设备•智能卡阅读器和呈现自己作为智能卡读卡器的USB身份验证令牌。
这些器件被分别导向,使它们可用于在远程桌面上的验证。
USB VoIP网络电话不排除重定向,即使他们有一个附加的键盘,这是一个HID。
从View Manager 3.1.1,您可以配置列出作为可用于重定向的设备。
注意事项:•Microsoft远程桌面协议(RDP)防止插在当地的HID,如控制台键盘,从影响远程RDP会话。
USB重定向使得设备似乎是插在本地,所以RDP还可以防止此类设备的影响远程会话。
RDP也是块的USB智能卡进行远程会话重定向。
此限制并不适用于PCoIP的。
•VMware的PCoIP的重定向控制台会话,使当地的HID和USB设备可以连接到远程桌面会话。
如果你想重定向的HID和USB设备的控制台会话,必须使用PCoIP的作为桌面的显示协议。
•为View Agent在Vista或Windows 7系统,Windows Mobile设备中心(WMDC)可以防止USB 设备的RDP会话的重定向。
此限制不适用于PCoIP的或RGS。
决议你必须先找出类GUID,并插入到客户端设备的供应商和产品ID。
然后,您可以使用这些值来配置重定向过滤器要在其上运行View Client的计算机。
注意:您必须在计算机上安装完整版本的View Client,您必须插入要包括或成为可用于重定向排除设备。
您可以使用设备管理器来找出类GUID以及设备的供应商和产品ID。
但是,对于某些设备,你可能要看看在View Client日志文件的信息。
禁用/开启USB的批处理命令:lockusb@reg add"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstor" /v Start /t reg_dword /d 4 /fecho USB设备禁用成功!!!所有在禁用后插入的USB设备将无法使用!!!pause:unlockusb@reg add"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\usbstor" /v Start /t reg_dword /d 3 /fecho USB设备启用成功!!!一切USB设备将可以使用.pause方法一,BIOS设置法(快刀斩乱麻法)进入BIOS设置,选择“Integrated Peripherals”选项,展开后将“USB 1.1 Controller”和“USB 2.0 Contr01ler”选项的属性设置为“Disabled”,即可禁用USB接口。
最后别忘记给BIOS设置上一个密码,这样他人就无法通过修改注册表解“锁”上述设备了。
注意:这个方法是完全禁止了USB接口,也就是说各种USB接口的设备均不能用了,当然也包括了打印机、U盘和移动盘。
由于此法过于霸道,请慎用。
方法二,禁止闪盘或移动硬盘的启动(适用于windows XP/2000/2003)打开注册表编辑器,依次展开如下分支[HKEY_LOCAL_MACHINE\SYSTEM\CurrentCntrolSet\Services\USBSTOR],在右侧的窗格中找到名为“Start”的DWORD值,双击,在弹出的编辑对话框中将其数值数据修改为十六位进制数值“4”。
(“Start”这个键是USB设备的工作开关,默认设置为“3”表示手动,“2”是表示自动,“4”是表示停用。
) “确定”按钮并关闭注册表编辑器,重新启动计算机,使设置生效。
Windows原生镜像中添加USB3.0驱动的方法目录1.前言 (2)2.工具和原料 (2)2.1PowerISO软件 (2)2.2USB3.0驱动 (2)3.PowerISO工具安装和激活方法 (3)3.1工具特色 (3)3.2工具安装步骤 (3)4.镜像中添加USB3.0驱动 (7)5.启动光盘制作 (11)6.刻录验证 (13)1.前言3.PowerISO工具安装和激活方法3.1工具特色1.PowerISO支持几乎所有的CD/DVD–ROM映像文件格式;支持32位和64位Windows7;3.21.图2PowerISO解压包3.双击exe文件进行安装,弹出对话框,选择是(图3),进入许可协议界面,点击我接受(图4)。
图3安装许可允许图4我接受按钮4.点击我接受后弹出对话框,点击浏览可选择安装位置,选择位置后,点击安装按钮,开始安装程序。
图5安装按钮5.安装完成,点击下一步图6安装过程6.默认设置,点击关闭按钮图7安装完成7.双击桌面poweriso运行程序图8启动程序8.弹出对话框中选择输入序列号图9启动程序弹窗9.弹出对黄框中输入序列号(解压文件中),点击确定图10序列号10.注册完成图11程序安装完成提示4.镜像中添加USB3.0驱动1.右键以管理员身份运行程序图12管理员身份2.弹出对话框,选择是图13运行弹窗3.选择工具菜单,弹出对话框选择DISM工具4.弹出对话框,选择添加驱动5.弹出对话框,点击图示位置图16镜像选择菜单6.弹出对话框,选择需要添加驱动的镜像文件图17镜像文件7.选中后点击打开,弹出对话框,点击图示位置,选择需要加载的USB3.0程序。
图18添加驱动菜单8.选中需要加载的驱动,点击确定图19驱动文件9.弹出对话框点击添加驱动,直到结束。
图20添加驱动菜单备注:此过程约15分钟。
图21安装过程10.完成后点击关闭,至此镜像中USB3.0驱动已添加完成。
图22加载完成5.启动光盘制作1.工具栏点击刻录图23刻录弹窗2.弹出对话框中,选择映像文件、刻录光驱,,点击刻录,文件开始写入光盘中。
Tracing USB Device artefacts on Windows XP operating system for forensic purposeVictor Chileshe LuoSchool of Computing and Information ScienceEdith Cowan Universityvluo@.aucvluo@AbstractOn Windows systems several identifiers are created when a USB device is plugged into a universal serial bus. Some of these artefacts or identifiers are unique to the device and consistent across different Windows platforms as well as other operating systems such as Linux. Another key factor that makes these identifiers forensically important is the fact that they are traceable even after the system has been shut down. Hence they can be used in forensic investigations to identify specific devices that have been connected to the system in question. KeywordsUSB device identifier, forensic, artefacts, registry key, log file, Windows XP, Operating systemINTRODUCTIONDemand for USB devices such as memory sticks has increased enormously in recent years. In some ways this increase has resulted in more powerful, faster and bigger capacity USB devices. Furthermore USB devices have become more popular in workplaces, education institutions etc. Many employees use them to store company information such as e-mails, corporate documents, third party sensitive data, company directories and business calendars, while Students use them to store assignments, lecture notes and other personal files. USB storage devices can also be used in contrary to the organisation policies. Their size and nature of use sometimes make them suitable to carry out malicious activities. The ability to hold gigabytes of data has certainly introduced considerable security risks, particularly in corporate environments. In addition to providing a means to move data to and from a system, USB storage devices may also be used to introduce malicious code into an otherwise protected system (Gorge, 2005).However, the popularity or capacity of these devices is not this paper’s main focus, but the ability to be able to trace the trails of these tiny devices for accountability. In this paper will discuss how USB storage devices can possibly leave identifiers imbedded within them by manufacturers on Windows XP system.USB ARTIFACTSAll USB devices have manufacturer’s information embedded in them. It is this information that Windows XP operating system uses to build a unique profile that is used to uniquely identify these devices. When these tiny storage devices are attached to a USB port on the system running Windows XP, in-built drivers collect information (manufacturer specifications) from the device and then use that information to create a profile of identifiers. These identifiers end up in different locations on the system and tend to be persistent after shut down (Gorge, 2005). This ability to preserve information about devices reduces reinstallations every time the device is attached to the system. It also increases Windows ability to create profiles of smaller devices such as those devices from same manufacturer.Proof of consistencyOn Linux systems these identifiers are more clear, specific and consistent. Addition information such as manufacturer’s name and device description is also clearly identified.As proof of concept, a Verbatim thumb drive was attached to Linux system (Debian) on two different occasions. The first attachment was an attempt to allow the system to collect relevant information about the device. The second attachment was done at least two weeks after the thumb drive was first attached to the system. The idea of attaching the USB thumb drive a second time was to capture USB information in memory using “cat” command as shown in figure 1 and to ensure the information belonged to the currently attached USB thumb drive.Figure 1. Cached USB identifiers on Linux systemThe information collected was then used to locate and compare similar information from log files such as masseges.log and syslog.log. By comparing information in figure 1 and 2, information such as serial number, abbreviation of manufacturer name (VBTM for Verbatim) and product name (Store_n_Go) was successfully found dating back to two weeks. This information was not only well preserved, but also matched the information collected from Windows XP system on the same thumb drive. The outlined discovery is a clear indication that some form of profile is created and preserved every time a new device is attached to the system.Figure 2. syslog file on Linux system showing the logged USB identifiersWINDOWS XP APPLICATIONWindows USB identifiersWindows XP operating system uses USB hub drivers to detect newly installed or attached USB device. When a device is attached to a port, the Windows operating system finds the appropriate driver to read and collects descriptors from it. Then the operating system uses the descriptors to build a unique profile for the device. Information collected is then used by the operating system to find the appropriate driver for the device. To achieve this, the operating system attempts to find device ID in usbstor.inf for those explicitly supported devices. If the USB hub driver enumerates one of these devices, the system will automatically load the USB storage port driver (Microsoft, 2007).The device IDs for USB mass storage devices listed in usbstor.inf take the usual form for USB device IDs composed using information in the USB device’s device descriptor. On Windows XP, a complete device unique identifier takes the following format: USB\VID_v(4)&PID_d(4)&REV_r(4). According to Microsoft cooperation, v(4) is the 4-digit vendor code that the USB committee assigns to the vendor, d(4) is the 4-digit product code that the vendor assigns to the device, and r(4) is the revision code (Microsoft, 2007). This can be illustrated using the device instance ID from the figure 3: USB\VID_08EC&PID_0008\0CD028********f1, where 08EC is the vendor code, 0008 is the product code and 0CD0 is the revision code. All the three descriptors form a unique ID called Device Instance ID.Figure 3. USB Device Instant ID as shown in device managerAccording to Carvey and Altheide Windows also queries the device descriptor for class code (bDeviceClass field), subclass code (bDeviceSubClass field) and protocol code (bDeviceProtocol field) in order to develop a list of compatible Device identifiers (Carvey & Altheide, 2005). The general descriptors Windows uses to generate a profile for a device is shown in figure 4.Field Size Value DescriptionOffset0 bLength Byte 12h Size of this descriptor in bytes1 bDescriptorType Byte 01h DEVICE descriptor type2 bcbUSB Word ????h USB specification release number in binary-codeddecimal (i.e. 2.10 = 210h). this filed identifies the releaseof the USB specification with which the device and isdescriptors are compliant4 bDeviceClass Byte 00h Class is specified in interface descriptor by USB working5 bDeviceSubClass Byte 00h Subclass is specified in interface descriptor by USBworking group6 bDeviceProtocol Byte 00h Protocol is specified in interface descriptor by USBworking7 bMaxPacketSize0 Byte ??h Maximum packet size for endpoint zero. (only 8, 16, 32,or 64 are valid (08h, 10h, 20h, 40h)????h Vendor identifier (assigned by the USB-IF)8 idVendor Word????h Product identifier (assigned by the manufacturer)10 idProduct Word12 bcdDevice Word ????h Device release number in binary-coded decimal14 iManufacturer Byte ??h Index of string descriptor describing the manufacturer15 iProduct Byte ??h Index of string descriptor describing this product16 iSerialNumber Byte ??h Index of string descriptor describing the device’s serialnumber17 bNumberConfigurations Byte ??h Number of possible configurationsFigure 4. A profile of identifiers Windows uses to uniquely identify a device (USB, 1999).Registry as a USB log fileAnyone looking into Windows registry for forensic purpose must understand that Windows registry is a repository of all information about all aspects of the computer, which includes the hardware, operating system, applications and users. In general, the investigator must be clear of what to look for and where to look for it. In terms of the USB, Windows registry stores information that ensures proper USB devices drivers are loaded, services required by applications are made available, proper application is loaded to open a file when you double click on the icon in the explorer, and that an application window appears in the proper place on your screen when you first launch it (Mee, Tryfonas, & Sutherland, 2006).USB connections history in the registry is maintained under the following key:HKEY_LOCAL_MACHINE\System\ControlSet00x\Enum\USBSTORThe ControlSet in use by the system depends upon the data associated with the following registry value:HKEY_LOCAL_MACHINE\System\Select\Current (Carvey, 2005).Every USB device currently and previously connected to system has the device instance identifier listed under USBSTOR key as shown in figure 5.Figure 5. view USB unique ID entry under USBSTOR entry keyThe highlighted entry in figure 5 is a unique device identifier, and also a unique serial number for that particular device assigned by the manufacturer. From the findings explained earlier in the paper, this number remains consistent across platforms.According to Carvey, not all thumb drives will have serial numbers registered in the registry. Some thumb drives are manufactured without serial numbers. If the second character of the unique instance ID is a ‘&’, then the ID was generated by the system (Carvey, 2005).Another important registry entry is HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion. This key contains specific information about the location of plug and play device .inf files. The information to locate the .inf file is defined in DevicePath value which holds REG_EXPAND_SZ data types. REG_EXPAND_SZ is expandable, capable of holding multiple paths for the DevicePath. (Carvey & Altheide, 2005).DevicePath registry key list of paths is used by plug and play manager to match the device identifiers with driver ranking the lowest on a scale of 0 to 0xFFFF. Once the driver is identified and loaded, the plug and play (PnP) uses the driver to retrieve any descriptors from the device and attempts to match them with explicitly supported device identifiers in the usbstor.inf. If the match is found, the usbstor.sys driver is installed and creates a new physical device object for each of the device’s logical units. The newly formed physical device object has the following format: USBSTOR\v(8)p(16)r(4). To the PnP manager the PDO format is interpreted as v(8) for 8-character vendor identifier, p(16) for 16-character product identifier, and r(4) for 4-character revision level value (Microsoft, 2007).figure 6. View device manufacturer serial number via Device ManagerWhen PDO of a USB storage device is viewed under device manager, additional 12 characters may be appended to the end of device ID. This is the serial number of the device and the index to this serial number is found in iSerialNumber, which is a value contained in device descriptor. If the value for iSerialNumber is 0x00, then thedevice was not assigned serial number by its manufacturer. This 12 character number is unique and persistent across platforms, but the inclusion of this unique identifier in the device is optional as per USB specification (Carvey & Altheide, 2005).Devices that do not have serial numbers are assigned a 12 character sequence number. This number contains an “&” character and the final value corresponds to the USB port to which the device is connected. The 12 character sequence generated by PnP manager, hence changes when the device is plugged to a different system. In addition to these device identifiers, usbstor.inf contains compatible class identifiers for each USB based device. These devices can be CD-ROM devices, removable media devices or generic SCIS media devices. During installation these devices can classified under any of the following classes and subclasses: USB\CLASS_08&SUBCLASS_02&PROT_50USB\CLASS_08&SUBCLASS_05&PROT_50USB\CLASS_08&SUBCLASS_06&PROT_50All devices are firstly classified as mass storage devices (class 08h), then matched with appropriate subclass where subclass 02h is matched with SFF-8020i ATAPI CD-ROM devices, while subclass 05h is matched with SFF-8070i ATAPI removable media and subclass 06h is matched generic SCSI media. Protocol 50h simply means the devices attached are bulky-only transport protocol. According to the results from the investigation carried out earlier, the data retrieved from the USB storage device descriptor must match the USB\CLASS_08&SUBCLASS_06&PROT_50 for the system to load usbstor.sys (Microsoft, 2007).Figure 7. shows a class match for USB storage deviceAn example of these class and subclass identifiers can be viewed from device manager. While a USB storage device is connected to USB port, open the device manager, under the Universal Serial Bus Controller, right-click on USB Mass Storage Device and choose properties from the drop-down menu, then choose the Details tab, and select “Matching Device ID” from the drop-down menu and the corresponding value will appear below as shown in figure 7.When compatible USB storage devices are connected to the Windows system, their artefacts are visible in Windows registry and log files. Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USB registry key, evidence of subkeys representing device IDs of similar format can be easily identified. More subkeys representing instance IDs follow under each subkeys identifying devices that have been connected to the system. Another important registry key for more analysis is:HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBStorUSBStor key is similar to the device ID subkeys beneath the USB key, but values under USBStor are in human readable format while values under USB key are in hexadecimal format. As compared to the amount of subkeys under USB key, which is generally for all USB-connected devices, USBStor has fewer subkeys and specifically for USB mass storage devices (Carvey & Altheide, 2005). Beneath this key are several instance ID subkeys, representing each devices that have been connected to the system as shown figure 5.Associating the timeline of the USB connections with user activities involving USB storage devices is important during registry analysis. When an entry is created in the registry, each keys found under that entry has a value associated with it called “LastWrite” time. This value represents the last time the registry key was modified. During forensic investigation of a USB storage device, the LastWrite times of the keys can be used to determine the timeline with respect to user activities involving USB storage devices (Carvey & Altheide, 2005).Another interesting entry in the registry is HKEY_LOCAL_MACHINE\SYSTEM|MountDevices\. This particular key provides information about the drive letters association with the devices. The value in ParentidPrefix which is found under MountDevices key can be used to exactly determine or map to the MountedDevices Registry in order to identify the drive letter to which the device was mounted. Beneath the MountedDevices registry key are several values in binary or REG_BINARY data types as shown in figure 8.Figure 8 MountedDevices registry keys showing drive letters and unique binaryHowever, some of the values start with \DosDevices\ followed by drive letter e.g. \DosDevices\H. To find out, Right click on one of them and choose modify. In the “Edit Binary Value” dialog on right-most column, appears characters like this:\??\STORAGE#RemovableMedia#7&e3d6b7b&0&RM&{53f56307-b6bf-11d0-94f2-00a0c91efb8b}The 7&e3d6b7b&0&RM portion of the right-most columns is the ParentidPrefix for the device. Using this ParentidPrefix we can determine the last time the device was connected to the system. To do so navigate to the following registry key:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\control\DeviceClassesClicking on key identical to 53f56307-b6bf-11d0-94f2-00a0c91efb8b taken from the right-most column of the “Edit Binary Value” dialog box , reveals information about several USB devices that have been attached to the system before as shown in figure 9.Figure 9 shows devices under DeviceClass registry keyLooking at the last subkey for the highlighted registry key in figure 9, clearly shows the unique instance identifier (OCD028********F1) for a USB storage device with product ID “Store_n_Go and manufacturer ID VBTM which is an abbreviation for Verbatim. The portion after unique instance ID (product serial number) is the ParentidPrefix value for the device (Forensic-Wiki, 2006).To determine the LastWrite time for a specific USB device, open the registry (Click Start, Run and type Regedit.exe), navigate to the USB device key, from the file menu, click “Export”, in the “Save As” type drop-down menu, select “Text Files (*.txt), then type the file name and press “Enter”. Open the text file using Notepad, and look at the last write time value as shown in figure 10 (Winhelponline, 2007).Figure 10 showing the last write time exported to text file from registryWindows Log FilesWindows log files can help in reinforcing the information collected from the registry. The log file of interest issetupapi.log which is found in %SYSTEMROOT% (C:\WINDOWS on the standard Windows XP install).Every installation of hardware drivers on the system is recorded in this file (Carvey & Altheide, 2005). Afterinstalling Store_n_Go USB storage device the setupapi.log recorded the following activities:#I306 DICS_START: Device has been started.[2007/09/30 12:27:03 1496.3 Driver Install]#-019 Searching for hardware ID(s): usb\vid_08ec&pid_0008&rev_0100,usb\vid_08ec&pid_0008#-018 Searching for compatible ID(s): usb\class_08&subclass_06&prot_50,usb\class_08&subclass_06,usb\class_08#-198 Command line processed: C:\WINDOWS\system32\services.exe#I022 Found "USB\Class_08&SubClass_06&Prot_50" in C:\WINDOWS\inf\usbstor.inf; Device:"USB Mass Storage Device"; Driver: "USB Mass Storage Device"; Provider: "Microsoft"; Mfg:"Compatible USB storage device"; Section name: "USBSTOR_BULK".#I023 Actual install section: [USBSTOR_BULK.NT]. Rank: 0x00002000. Effective driver date:07/01/2001.#-166 Device install function: DIF_SELECTBESTCOMPATDRV.#I063 Selected driver installs from section [USBSTOR_BULK] in "c:\Windows\inf\usbstor.inf".#I320 Class GUID of device remains: {36FC9E60-C465-11CF-8056-444553540000}.#I060 Set selected driver.#I058 Selected best compatible driver.#-166 Device install function: DIF_INSTALLDEVICEFILES.#I124 Doing copy-only install of "USB\VID_08EC&PID_0008\0CD028********F1".#-166 Device install function: DIF_REGISTER_COINSTALLERS.#I056 Coinstallers registered.#-166 Device install function: DIF_INSTALLINTERFACES.#-011 Installing section [USBSTOR_BULK.NT.Interfaces] from "c:\Windows\inf\usbstor.inf".#I054 Interfaces installed.#-166 Device install function: DIF_INSTALLDEVICE.#I123 Doing full install of "USB\VID_08EC&PID_0008\0CD028********F1".#I121 Device install of "USB\VID_08EC&PID_0008\0CD028********F1" finished successfully.On line number I306, the setupapi.log file recorded the time and date the device driver installation began, whileon very last line shows that the device was successfully installed. By comparing the installation date from lineI306 of the setupapi.log file and the LastWrite time in the registry, it is possible to determine when the devicewas first connected to the system and for how long the activities might have been repeated. On line I022, thesetupapi.log file recorded more vital information, which is the USB\Class_08&SubClass_06&Prot_50. Subclass06h in Windows XP system is a predefined driver for generic SCSI media; in this case the USB storagesuccessfully installed and indentified with device instance ID or serial number 0CD028********F1 on lineI121.CONCLUSIONThe unique identification numbers imbedded in some devices by manufacturer are returned as iserialNumbervalues on Windows XP system. These unique identifications should be noted to be persistent across identifiedplatforms. The finding raises some interesting issues, for example, an administrator could gather information ofgood known authorised devices that have been attached to the system. From gathered information, anadministrator can determine if any unauthorised USB based storage device has been installed on the restrictedmachine.Investigation techniques discussed in this paper cannot only help solve USB storage related cases suchinformation stealing, but can strongly help law enforcers have an idea of how other crimes unrelated to onediscussed were committed. In explicitly material investigations, forensic investigators could equip law enforcerswith information from setupapi log file showing potential devices used when committing such horrific crimes.The type of drivers installed and identifiers associated with the drivers could help identify specific devices onceattached to the system in question. The following setupapi log file shows an artefact depicting a digital camerainstallation:[2007/10/11 18:27:16 1488.3 Driver Install]#-019 Searching for hardware ID(s): usb\vid_040a&pid_05bd&rev_0100,usb\vid_040a&pid_05bd#-018 Searching for compatible ID(s): usb\class_06&subclass_01&prot_01,usb\class_06&subclass_01,usb\class_06#-198 Command line processed: C:\WINDOWS\system32\services.exe#I022 Found "USB\VID_040A&PID_05bd" in C:\WINDOWS\inf\oem18.inf; Device: "KODAK DigitalCamera"; Driver: "KODAK Digital Camera"; Provider: "Eastman Kodak"; Mfg: "Kodak"; Section name:"UsbScan.Camera".#I023 Actual install section: [UsbScan.Camera]. Rank: 0x00000001. Effective driver date: 06/14/2002.#I393 Modified INF cache "C:\WINDOWS\inf\INFCACHE.1".#I022 Found "USB\Class_06&SubClass_01&Prot_01" in C:\WINDOWS\inf\ptpusb.inf; Device: "Digital StillCamera"; Driver: "Digital Still Camera"; Provider: "Microsoft"; Mfg: "Generic"; Section name: "PTP".#I023 Actual install section: [PTP]. Rank: 0x00002000. Effective driver date: 07/01/2001.#-166 Device install function: DIF_SELECTBESTCOMPATDRV.#I063 Selected driver installs from section [UsbScan.Camera] in "c:\Windows\inf\oem18.inf".#I320 Class GUID of device remains: {36FC9E60-C465-11CF-8056-444553540000}.#I060 Set selected driver.#I058 Selected best compatible driver.#-166 Device install function: DIF_INSTALLDEVICEFILES.#I124 Doing copy-only install of "USB\VID_040A&PID_05BD\C713_0C0390345".#-166 Device install function: DIF_REGISTER_COINSTALLERS.#I056 Coinstallers registered.From the log file, forensic investigators could use line #-019 to determine the type device being installed at thattime and the time the installation started by referring to line above it. Line #I022 could help in depicting specificdevice installed including manufacturer name; in this case KODAK camera was clearly recorded with detailedinformation attached to it. Forensic investigators could identify specify device by using its unique ID as shownin line #I124.To law enforcers this evidence could help answer their many questions such as whether the system was used asa storage media for criminal data or perhaps the device at the centre of an investigation might have been used tocommit crime.REFERENCESCarvey, H. (2005). The Windows Registry as a forensic resource Retrieved 9 October, 2007, from .au/science?_ob=ArticleURL&_udi=B7CW4-4GX1J3B-1&_user=1385697&_coverDate=09%2F30%2F2005&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c &_acct=C000052520&_version=1&_urlVersion=0&_userid=1385697&md5=f4f6c35575ded24887ccff6 cdad1bc5cCarvey, H., & Altheide, C. (2005). Tracking USB storage: Analysis of Windows artifacts generated by USB storage devices. Retrieved 2 October, 2007, from/science?_ob=ArticleURL&_udi=B7CW4-4G82Y3M-1&_user=10&_coverDate=06%2F30%2F2005&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acc t=C000050221&_version=1&_urlVersion=0&_userid=10&md5=14db0715620630bcf24ee0ced035f073 Forensic-Wiki. (2006). USB History Viewing. Retrieved 15 October, 2007, from/wiki/USB_History_ViewingGorge, M. (2005). USB & other portable storage device usage. Retrieved 9 October, 2007, from /science?_ob=ArticleURL&_udi=B6VNT-4GY9043-8&_user=10&_coverDate=08%2F31%2F2005&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c&_acc t=C000050221&_version=1&_urlVersion=0&_userid=10&md5=57444a1440590bffc1945e26c93eee02 Mee, V., Tryfonas, T., & Sutherland, L. (2006). The Windows Registry as a forensic artefact: Illustrating evidence collection for Internet usage Retrieved 10 October, 2007, from http://0-.au/science?_ob=ArticleURL&_udi=B7CW4-4M0S394-1&_user=1385697&_coverDate=09%2F30%2F2006&_rdoc=1&_fmt=&_orig=search&_sort=d&view=c &_acct=C000052520&_version=1&_urlVersion=0&_userid=1385697&md5=e5322a5cb4f4119534e0a0 273159db63Microsoft. (2007). Identifiers Generated by USBSTOR.SYS. Retrieved 10 october, 2007, from /en-us/library/ms791086.aspxUSB. (1999). Universal Serial Bus Mass Storage Class Bulk-Only Transport. Retrieved 9 October, 2007, from /developers/devclass_docs/usbmassbulk_10.pdfWinhelponline. (2007). Determining the "Last Write Time" of a registry key? Retrieved 15 October, 2007, from /articles/12/1/COPYRIGHTVictor Chileshe Luo ©2007. The author/s assign Edith Cowan University a non-exclusive license to use this document for personal use provided that the article is used in full and this copyright statement is reproduced. Such documents may be published on the World Wide Web, CD-ROM, in printed form, and on mirror sites on the World Wide Web. The authors also grant a non-exclusive license to ECU to publish this document in full in the Conference Proceedings. Any other usage is prohibited without the express permission of the authors.。