# Query the Registry for Mounted Device information ``` #####aid_begin #description: fetch the information of mounted devices #id: aid2112302049 #processtype: query #category: registry #sourcelink: #tacticidlist: #techniqueidlist: #compatibleos: |- # windows 7 # windows 8.* # windows 10 # windows 11 # windows server 2008 r2 # windows server 2012 # windows server 2012 r2 # windows server 2016 # windows server 2019 #compatibleengine: |- # powershell 2 # powershell 3 # powershell 4 # powershell 5.* # powershell 7.* #bgcommandlist: |- # get-bgregistry #notes: |- # the first key contains a list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices. this key lists any volume that is mounted and assigned a drive letter, including usb storage devices and external dvd/cdrom drives. from the listed registry values, value’s name that starts with “\dosdevices\” and ends with the associated drive letter, contains information regarding that particular mounted device. for instance, if the binary data for registry value “\dosdevices\f” contains “\??\storage#removeablemedia” at the beginning of the value, it signifies a usb removable disk was connected to the system usb port. by correlating the entry with registry key lastwrite time, investigator would know when the removable device is connected. the second key also contains similar information as mounteddevices key, which is located under the respective device guid (globally unique identifiers) subkey and in the binary registry value named data. #####aid_end commands: - Get-BGRegistry -StartKey "HKLM\SYSTEM\MountedDevices" ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://manuals.blusapphire.io/blugenie/artifacts/tactical-artifacts-by-category/registry-query/query-the-registry-for-mounted-device-information.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.