If anyones been keeping up with the development of u3, a newer usb tech. You have probly heard of the software that is being black hatted that uses these drives to basicaly own a win2k box or greater simply by plugging it in. The open source project which I found quite alarming only requires the u3 usb device to be plugged in and auto discovered and opened to install what ever software has been configured as a payload. No keyboard interaction required, no admin access needed.

I know that turning off auto exec for usb devices will slow the person down, but that just leave the payload to be manually activated, and that disabling usb altogether is the best idea but not always possible. I have only glimpsed at the project and source, but the trend seems to be to hide the payload as a ms update in $winnt-uninstall-kb-blah blah. What I am thinking is that the detection of the installation would have to involve going into add remove programs and actually noting each update. What I would like to know is there a way to automatically pull the update names to a text file? Either from the reg or some other place that I don't know of, so that a batch file could pole the windows updates uninstall folders residing in c:\windows and compare them to the actual updates that have been installed? If its possible then a pretty simple batch script, (or prog lang of your choice) could be used to actually detect the machine has been comprimised and even tell you where the suspect folder is, mabey even pop open any suspect folder for manual inspection. From there it would have to be a standard clean up I guess but since I havent heard of anything that can truely detect the exploit even most of the time.

Any input on the subject is welcome.

-----------------------edit------------------
I might have answered my own question. The c:\windows\WindowsUpdate.log seems to have the info, just need to parse it.