Hi all,
I'm curious how a Transcend 2GB Jetflash USB thumb drive can be inserted into a Windows 7 laptop, and it not be mapped to a drive letter? I'm checking System/MountedDevices and don't see the drive letter. The drive doesn't show up in Software\Microsoft\Windows NT\Current Version\EMDMgm, but does in System\CurrentControlSet\Enum\USBStor. I also see it in C\Windows\inf\Setupapi.dev.log. When I search System\CurrentControlSet\Enum\USBStor for the serial number, I don't get a hit on any of the \??\Volume{GUID}.
So curiously how can a USB be inserted, and not have a drive letter associated with it?
Thanks.
So curiously how can a USB be inserted, and not have a drive letter associated with it?
It's perfectly possible to remove / disassociate a fixed volume from a drive letter – see Control Panel / Administrative Tools / Computer management / Disk Management. Right-click on the volume and select Change Drive Letters and Paths, and just Remove the drive letter assignment.
I can do the same thing for USB volumes. Next time I insert it (at least in the same login and boot session), the volume will be discovered, but it will not have a drive letter assigned.
You can also mount the volume somewhere else. In the same dialog box (Change Drive Letters and Paths) there's an 'Add' option, allowing you to mount the volume in an empty NTFS folder / mountpoint. Could be useful if you have something like 'My Safes' (for Password Safe), or PGP keys or other private files that you prefer to store off the hard disk, yet still be in the file tree.
These settings (changing or removing drive letter, or assigning a different mount point altogether) presumably end up in Windows registry somewhere, and possibly associated with a 'static' volume identifier.
On my on Windows 7, it looks like
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
might be involved, but I'll leave that investigation for others. (Hint Process Monitor) There's also the following thread from Technet
https://
which provides a lot of related information.
Looks like some Regripper plugins extracts info from the …\Explorer\MountPoints2 path so you may find additional info there.
The drive doesn't show up in Software\Microsoft\Windows NT\Current Version\EMDMgm, but does in System\CurrentControlSet\Enum\USBStor. I also see it in C\Windows\inf\Setupapi.dev.log. When I search System\CurrentControlSet\Enum\USBStor for the serial number, I don't get a hit on any of the \??\Volume{GUID}.
And what does Disk Manager see?
And what does mountvol see?
jaclaz
I'm asking this question as I'm attempting to examine an image of a computer that I captured, so I can only look at the existing logs. Thus far, none of the logs that Iv'e reviewed indicate which drive letter the thumb drive was mounted to. Unfortunately, I can't look at mountval or Disk Manager to see what's going on.
Thanks for your responses!
Have you tried USBdeview?
I have seen on my own system that sometimes I'll insert a new USB device and it won't appear to have been allocated a drive letter. The reason in my case is that the system (W7 SP1) is trying to allocate a drive letter that has already been allocated to a network share via GPO.
Could that be another possible explanation?