Worked on documentation

Author: joachimmetz

docs/sources/system-keys/Application-compatibility-cache.md

@@ -516,6 +516,18 @@ Related Registry keys:
 HKLM\Sofware\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
 ```
 
+Flushing the cache Windows Vista and later:
+
+```
+Rundll32.exe apphelp.dll,ShimFlushCache
+```
+
+Flushing the cache Windows XP and Windows Server 2003
+
+```
+Rundll32.exe kernel32.dll,BaseFlushAppcompatCache
+```
+
 ## External links
 
 * [Leveraging the Application Compatibility Cache in Forensic Investigations](https://www.fireeye.com/content/dam/fireeye-www/services/freeware/shimcache-whitepaper.pdf), by Andrew Davis, 2012

docs/sources/system-keys/USB-storage.md

@@ -4,13 +4,25 @@
 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR
 ```
 
-Sub key level 1: Disk&Ven_&Prod_&Rev_0.00
+The USBSTOR key contains one or more device keys.
+
+## Device key
+
+The name of the device key is formatted as:
 
 ```
 <Device Type>&Ven_<Vendor>&Prod_<Product>&Rev_<Revision Number>
 ```
 
-Sub key level 2: 1002131402536a&0
+For example: `Disk&Ven_&Prod_&Rev_0.00`
+
+The device key contains one or more device instance keys.
+
+## Device instance key
+
+The name of the device instance key is formatted as:
+
+For example: `1002131402536a&0`
 
 Sub keys:
 
@@ -24,16 +36,88 @@ Values:
 
 Name | Data type | Description
 --- | --- | ---
-Capabilities | |
-Class | |
-ClassGUID | |
-CompatibleIDs | |
-ConfigFlags | |
-ContainerID | |
-DeviceDesc | |
-Driver | |
-FriendlyName | |
-HardwareID | |
-Mfg | |
-Service | |
+Capabilities | REG_DWORD_LITTLE_ENDIAN |
+Class | REG_SZ |
+ClassGUID | REG_SZ |
+CompatibleIDs | REG_MULTI_SZ |
+ConfigFlags | REG_DWORD_LITTLE_ENDIAN |
+ContainerID | REG_SZ |
+DeviceDesc | REG_SZ |
+Driver | REG_SZ |
+FriendlyName | REG_SZ | Human readable description of the USB storage device
+HardwareID | REG_MULTI_SZ |
+Mfg | REG_SZ | Manufacturer information
+Service | REG_SZ |
+
+## Device Parameters key
+
+Sub keys:
+
+Name | Description
+--- | ---
+MediaChangeNotification |
+Partmgr |
+
+### Device Parameters\Partmgr key
+
+Values:
+
+Name | Data type | Description
+--- | --- | ---
+Attributes | REG_DWORD_LITTLE_ENDIAN |
+DiskId | REG_SZ | Contains a GUID
+
+## LogConf key
+
+## Properties key
+
+Sub keys:
+
+Name | Description
+--- | ---
+%GUID% | Property set identifier
+
+### Property set key (Properties\%GUID%)
+
+Sub keys:
+
+Name | Description
+--- | ---
+%NUMERIC% | Property identifier
+
+#### Property key (Properties\%GUID%\%NUMERIC%)
+
+Sub keys:
+
+Name | Description
+--- | ---
+%NUMERIC% |
+
+#### Property value key (Properties\%GUID%\%NUMERIC%\%NUMERIC%)
+
+Values:
+
+Name | Data type | Description
+--- | --- | ---
+Data | REG_BINARY | Value data
+Type | REG_BINARY | Value type
+
+For a value type of 0x0010 value data contains a FILETIME
+For a value type of 0x0012 value data contains an UTF-16 litte-endian encoded string
+
+### Example
+
+```
+HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR\Disk&Ven_HP&Prod_v100w&Rev_1024\AA951D0000007252&0\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\00000004\00000000
+
+Property set: 540b947e-8b40-45bc-a8a2-6a0b894cbda2 (System.Devices)
+Property identifier: 4 (PKEY_Device_BusReportedDeviceDesc)
+Type: 0x00000012
+Data: "HP v100w USB Device"
+```
+
+## External links
+
+* [USB device registry entries](https://learn.microsoft.com/en-us/windows-hardware/drivers/usbcon/usb-device-specific-registry-settings)
+* [Identifiers Generated by USBSTOR.SYS](https://learn.microsoft.com/en-us/windows-hardware/drivers/install/identifiers-generated-by-usbstor-sys)