Comment on page
Query the Registry for Mounted Device information
AID2112302049.YAML
#####aid_begin
#description: fetch the information of mounted devices
#id: aid2112302049
#processtype: query
#category: registry
#sourcelink: <na>
#tacticidlist: <na>
#techniqueidlist: <na>
#compatibleos: |-
# windows 7
# windows 8.*
# windows 10
# windows 11
# windows server 2008 r2
# windows server 2012
# windows server 2012 r2
# windows server 2016
# windows server 2019
#compatibleengine: |-
# powershell 2
# powershell 3
# powershell 4
# powershell 5.*
# powershell 7.*
#bgcommandlist: |-
# get-bgregistry
#notes: |-
# the first key contains a list of mounted devices, with associated persistent volume name and unique internal identifier for respective devices. this key lists any volume that is mounted and assigned a drive letter, including usb storage devices and external dvd/cdrom drives. from the listed registry values, value’s name that starts with “\dosdevices\” and ends with the associated drive letter, contains information regarding that particular mounted device. for instance, if the binary data for registry value “\dosdevices\f” contains “\??\storage#removeablemedia” at the beginning of the value, it signifies a usb removable disk was connected to the system usb port. by correlating the entry with registry key lastwrite time, investigator would know when the removable device is connected. the second key also contains similar information as mounteddevices key, which is located under the respective device guid (globally unique identifiers) subkey and in the binary registry value named data.
#####aid_end
commands:
- Get-BGRegistry -StartKey "HKLM\SYSTEM\MountedDevices"