SetupAPI Device Installation Logs

Location

Common Names

Description

SetupAPI text logs that record device and driver installation activity, including hardware identifiers, driver package selection, install result codes, and timestamps for device setup operations.

Forensic Value

SetupAPI logs are a high-confidence source for reconstructing when USB storage, smart cards, phones, and other plug-and-play devices were first installed or reconfigured on a host. They capture device instance IDs, INF names, and driver selection details that complement registry-based USB history and help distinguish an actual device install from later usage. In data theft or rogue peripheral investigations, these logs frequently provide the earliest timestamp tying a device class to the machine.

Tools Required

Collection Commands

Copy-Item "C:\Windows\inf\setupapi.dev.log","C:\Windows\inf\setupapi.app.log" -Destination C:\output\SetupAPI\ -ErrorAction SilentlyContinue

findstr /I /C:"USBSTOR" /C:"VID_" /C:"PID_" C:\Windows\inf\setupapi.dev.log > C:\output\setupapi_usb_hits.txt

kape.exe --tsource C: --tdest C:\output --target USBDevices

Collection Constraints

• •Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.
• •These logs track installation and driver setup events, not every subsequent device use. Older entries may roll out on long-lived systems with heavy device churn.

MITRE ATT&CK Techniques

References