Located at HKLM\SYSTEM\ControlSet001\Enum\USB, it provides a rich information source about USB devices connected to a Windows system. The information you can typically find under this key includes; connection status, information from the USBSTOR registry key, last write time, and installation date.

These details can be cross-referenced with evidence in the MountedDevices and USBSTOR registry keys.

Sections

ID	Name	Description
PR002	Device Mounting	A subject may mount an external device or network device to establish a means of exfiltrating sensitive data.
ME005	Removable Media	A subject can mount and write to removable media.
PR014.001	USB Mass Storage Device Formatting	A subject formats a USB mass storage device on a target system with a file system capable of being written to by the target system.
IF002.001	Exfiltration via USB Mass Storage Device	A subject exfiltrates data using a USB-connected mass storage device, such as a USB flash drive or USB external hard-drive.
PR002.001	USB Mass Storage Device Mounting	A subject may attempt to mount a USB Mass Storage device on a target system.
ME005.001	USB Mass Storage	A subject can mount and write to a USB mass storage device.
ME005.002	SD Cards	A subject can mount and write to an SD card, either directly from the system, or through a USB connector.
IF002.006	Exfiltration via USB to USB Data Transfer	A USB to USB data transfer cable is a device designed to connect two computers directly together for the purpose of transferring files between them. These cables are equipped with a small electronic circuit to facilitate data transfer without the need for an intermediate storage device. Typically a USB to USB data transfer cable will require specific software to be installed to facilitate the data transfer. In the context of an insider threat, a USB to USB data transfer cable can be a tool for exfiltrating sensitive data from an organization's environment.