Cory Altheide and I are conducting some research into USB devices and the Windows Registry. In doing so, I've been trying to get in contact with folks at Microsoft to answer some questions with regards to the creation of certain Registry keys...most of the contacts have been several layers removed from me.
I'd like to ask the questions here, as well, to see what kind of response I can get back from the community.
Our basic questions are these:
1. When you connect a USB storage device to a Windows system (2K, XP, 2K3), Registry keys are created. If they don't already exist, the HKLM\System\CurrentControlSet\Enum\USBStor key is created. Beneath that key, a subkey containing the vendor name is created, and beneath the "vendor key", a key with a unique name is created for each device (I'll call this the "unique key"). On a test XP system, it looks like this:
According to some scant MSDN documentation, the final key name is unique to the device...each time the device is plugged into the Windows system, the same name will be used. Also, if the device is plugged into other Windows systems, the same name will appear.
The question is, how is this key name created? If something specific is pulled from the device, what is that artifact? How is it retrieved; ie, via what API and data structure? How is it then processed to develop the name of the "unique key"?
2. Within the "unique key", there is a value called "ParentIdPrefix". How is this value derived? What API/data structure is used? How does the system then subsequently use this value?
Thanks. Any assistance, along with cited sources, would be greatly appreciated. Cory and I do intend to make the final results of our research public.
Thanks,
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
All,
Cory Altheide and I are conducting some research into USB devices and the Windows Registry. In doing so, I've been trying to get in contact with folks at Microsoft to answer some questions with regards to the creation of certain Registry keys...most of the contacts have been several layers removed from me.
I'd like to ask the questions here, as well, to see what kind of response I can get back from the community.
Our basic questions are these:
1. When you connect a USB storage device to a Windows system (2K, XP, 2K3), Registry keys are created. If they don't already exist, the HKLM\System\CurrentControlSet\Enum\USBStor key is created. Beneath that key, a subkey containing the vendor name is created, and beneath the "vendor key", a key with a unique name is created for each device (I'll call this the "unique key"). On a test XP system, it looks like this:
HKLM\System\CurrentControlSet\Enum\USBStor
\Disk&Ven_LEXAR&Prod_DIGITAL_FILM&Rev_/W1.
\7&276114a5&0&______________040719030000008093F300000000000&0
According to some scant MSDN documentation, the final key name is unique to the device...each time the device is plugged into the Windows system, the same name will be used. Also, if the device is plugged into other Windows systems, the same name will appear.
The question is, how is this key name created? If something specific is pulled from the device, what is that artifact? How is it retrieved; ie, via what API and data structure? How is it then processed to develop the name of the "unique key"?
2. Within the "unique key", there is a value called "ParentIdPrefix". How is this value derived? What API/data structure is used? How does the system then subsequently use this value?
Thanks. Any assistance, along with cited sources, would be greatly appreciated. Cory and I do intend to make the final results of our research public.
Thanks,
H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]