Wednesday, October 1, 2008

Window XP and Vista setupapi.log

setupapi.log is a plain-text file that contains some interesting information about various devices and service-pack installations. The file may contain serial numbers of the devices connected to Windows machine. By studying setupapi.log it may be possible to tell if a particular device has been connected to the computer during OS installation #-199 message –newsetup or connected at a later stage incl. date and time when it was connected.

The file is located in %windir%\ directory for Windows XP machines.

Microsoft has a good paper regarding this log file Troubleshooting Device Installation with the SetupAPI Log File

Harlan Carvey in his book Windows Forensic Analysis DVD Toolkit explained very well the significance of setupapi.log to forensic examiners.

Vista has two similar files setupapi.app.log and setupapi.dev.log located in %windir%\inf\ directory.

setupapi.dev.log becomes the primary log file and setupapi.app.log contains some legacy logging information.

Useful links in relation to Vista log files are:


6 comments:

Phil Rodokanakis said...

Thanks for the post, it was helpful in locating these files in Vista. However, the format of these logs has changed a lot from the setupapi.log under XP. Have you come across a viewer or other parsing tool that can read these? I can't even see the dates, so they are not pretty helpful in ascertaining when a device was first installed. Any ideas?

eco said...

Hi Phil,
I have accessed setupapi.dev.log and setup.app.log files with no problems and I can see the relevant entires like this: "Section start 2008/09/29 19:43:14.453 cmd: C:\Windows\system32\oobe\setup.exe"
I also used Helix v2 live CD to boot and accessed these logs in read-only mode and viewed these logs in text editor (gedit). Vista Ultimate 64-bit is the operating system I can access right now and I can see the logs with no problems. You can try two things:
1.Use LiveView and boot the operating system from the image and access the logs this way.
2.Try to mount your image with Mount Image Pro or Smart Mount on Vista machine and see if you can see the dates in the logs.
Please let me know if these methods worked.

Phil Rodokanakis said...

Andre:

Thanks for the reply. I'm using EnCase and yes, I can "read" the entries in the log and see some dates. But they're not as clear as the old setupapi.logs were. For example, I can't tell where one log entry starts and where it ends.

Is there some king of marker that marks the beginning of a new log entry?

I guess, I'm going to have to print out a few pages and try to see if I can decipher any commonalities between the different entries.

eco said...

Phil,

Sometime ago Microsoft published a document called "Debugging Device Installation in Windows Vista" that explains how to read the logs. Here is the link: http://www.microsoft.com/whdc/driver/install/diagnose.mspx

and below is the excerpt from this document. Hope this helps.

-----------------------------

Basic Structure of the SetupAPI logs

The logs are divided into individual sections, one per device install, as follows:

Log Header

>>> Section header

Device Driver install section 1

<<< End Section



>>> Section header

Device Driver install section 2

<<< End Section



>>> Section header

Device Driver install section 3

<<< End Section



It is useful to search on “>>>” and “<<<” when looking for the beginning and end of a device install operation.

Basic Structure of a Log Section

Individual steps for install are shown in brackets, with indented details:

dvi: {Common Device Properties}

dvi: Provider name=Microsoft

dvi: DriverVersion=6.0.5340.0

dvi: Class name=FloppyDisk

dvi: Matching DeviceID=genfloppydisk

dvi: {Common Device Properties status SUCCESS}



inf: {INF Service Section [floppy_install.NT.Services]}

inf: AddService=flpydisk,2,flpy_SvcInstSection(flpydisk.inf line 57)

dvi: Add Service: Modified existing service 'flpydisk'.

inf: {INF Service Section [floppy_install.NT.Services] status SUCCESS}

Finding Install Attempts

Header/Footer show device instance ID and success/failure of install



>>> [Device Install (Hardware initiated) - UMB\UMB\1&841921d&0&TSBUS]

>>> 2006/03/14 14:49:04.554: Section start



< body of log data >



<<< 2006/03/14 14:49:07.223: Section end

<<< [Exit status: SUCCESS

eco said...

I guess another way to read the log file is to open it in Notepad++ and select Language as C++ or something similar. This would present the data in a more readable format. One may also try to utilise "User Define Dialog" under "View" option in Notepad++. This would allow setting syntax highlighting specifically for setupapi.dev.log files.

Phil Rodokanakis said...

Andre:

Thanks a million. That's exactly what I was looking for. Ironically, I had come across the Microsoft page you reference, but I didn't see anything usefule there, as I completely missed the Word Document that was available for download. I guess, I should slow down and read things more carefuly, instead of "scanning" a web page... (sad smile)

Now, if I can only find out the installation information for the device driver that was installed when a particular USB thumb drive was first connected to the system I'm examining...