My first assumption about this is that the unique key is part of the
device instance ID, which includes the USBSTOR part on down to the
unique number. This can be seen in the details tab in the hardware
properties of the USB device. I would assume that there is a serial
number or GUID on each USB device (which you have validated
yourself) and that number is used by Windows to keep the devices
separate when reading and writing, and also to know whether the
device is new or not (you only get a new hardware found message the
first time the device is installed). I would think in-depth
studying of any PnP API or USB-related stuff would be a good lead.
Perhaps the situation could be compared to taking two of the same
make/model NICs and swapping one out with another. Windows should
detect the new hardware with the new MAC address (our pseudo-GUID in
this example), eventhough the drivers and PCI slot are the same.
There may also then be a GUID on that NIC that may or may not be
related to the MAC address at all, used for device identification
just like these USB devices. I'm leaning toward PnP API stuff if it
is available. At least it'd be my first choice, but I'm not a
veteran programmer, so forgive me if I mislead anyone.
Cheers,
Bob
-----Original Message-----
From: H Carvey <keydet89 (at) yahoo (dot) com [email concealed]>
To: forensics (at) securityfocus (dot) com [email concealed]
Date: 1 Feb 2005 12:45:57 -0000
Subject: USB devices and the Windows Registry
>
>
> All,
>
> Cory Altheide and I are conducting some research into USB devices
> and the Windows Registry. In doing so, I've been trying to get in
> contact with folks at Microsoft to answer some questions with
> regards to the creation of certain Registry keys...most of the
> contacts have been several layers removed from me.
>
> I'd like to ask the questions here, as well, to see what kind of
> response I can get back from the community.
>
> Our basic questions are these:
>
> 1. When you connect a USB storage device to a Windows system (2K,
> XP, 2K3), Registry keys are created. If they don't already exist,
> the HKLM\System\CurrentControlSet\Enum\USBStor key is created.
> Beneath that key, a subkey containing the vendor name is created,
> and beneath the "vendor key", a key with a unique name is created
> for each device (I'll call this the "unique key"). On a test XP
> system, it looks like this:
>
> HKLM\System\CurrentControlSet\Enum\USBStor
> \Disk&Ven_LEXAR&Prod_DIGITAL_FILM&Rev_/W1.
>
> \7&276114a5&0&______________040719030000008093F300000000000&0
>
> According to some scant MSDN documentation, the final key name is
> unique to the device...each time the device is plugged into the
> Windows system, the same name will be used. Also, if the device is
> plugged into other Windows systems, the same name will appear.
>
> The question is, how is this key name created? If something
> specific is pulled from the device, what is that artifact? How is
> it retrieved; ie, via what API and data structure? How is it then
> processed to develop the name of the "unique key"?
>
> 2. Within the "unique key", there is a value called
> "ParentIdPrefix". How is this value derived? What API/data
> structure is used? How does the system then subsequently use this
> value?
>
> Thanks. Any assistance, along with cited sources, would be greatly
> appreciated. Cory and I do intend to make the final results of our
> research public.
>
> Thanks,
>
> H. Carvey
> "Windows Forensics and Incident Recovery"
> http://www.windows-ir.com
> http://windowsir.blogspot.com
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
device instance ID, which includes the USBSTOR part on down to the
unique number. This can be seen in the details tab in the hardware
properties of the USB device. I would assume that there is a serial
number or GUID on each USB device (which you have validated
yourself) and that number is used by Windows to keep the devices
separate when reading and writing, and also to know whether the
device is new or not (you only get a new hardware found message the
first time the device is installed). I would think in-depth
studying of any PnP API or USB-related stuff would be a good lead.
Perhaps the situation could be compared to taking two of the same
make/model NICs and swapping one out with another. Windows should
detect the new hardware with the new MAC address (our pseudo-GUID in
this example), eventhough the drivers and PCI slot are the same.
There may also then be a GUID on that NIC that may or may not be
related to the MAC address at all, used for device identification
just like these USB devices. I'm leaning toward PnP API stuff if it
is available. At least it'd be my first choice, but I'm not a
veteran programmer, so forgive me if I mislead anyone.
Cheers,
Bob
-----Original Message-----
From: H Carvey <keydet89 (at) yahoo (dot) com [email concealed]>
To: forensics (at) securityfocus (dot) com [email concealed]
Date: 1 Feb 2005 12:45:57 -0000
Subject: USB devices and the Windows Registry
>
>
> All,
>
> Cory Altheide and I are conducting some research into USB devices
> and the Windows Registry. In doing so, I've been trying to get in
> contact with folks at Microsoft to answer some questions with
> regards to the creation of certain Registry keys...most of the
> contacts have been several layers removed from me.
>
> I'd like to ask the questions here, as well, to see what kind of
> response I can get back from the community.
>
> Our basic questions are these:
>
> 1. When you connect a USB storage device to a Windows system (2K,
> XP, 2K3), Registry keys are created. If they don't already exist,
> the HKLM\System\CurrentControlSet\Enum\USBStor key is created.
> Beneath that key, a subkey containing the vendor name is created,
> and beneath the "vendor key", a key with a unique name is created
> for each device (I'll call this the "unique key"). On a test XP
> system, it looks like this:
>
> HKLM\System\CurrentControlSet\Enum\USBStor
> \Disk&Ven_LEXAR&Prod_DIGITAL_FILM&Rev_/W1.
>
> \7&276114a5&0&______________040719030000008093F300000000000&0
>
> According to some scant MSDN documentation, the final key name is
> unique to the device...each time the device is plugged into the
> Windows system, the same name will be used. Also, if the device is
> plugged into other Windows systems, the same name will appear.
>
> The question is, how is this key name created? If something
> specific is pulled from the device, what is that artifact? How is
> it retrieved; ie, via what API and data structure? How is it then
> processed to develop the name of the "unique key"?
>
> 2. Within the "unique key", there is a value called
> "ParentIdPrefix". How is this value derived? What API/data
> structure is used? How does the system then subsequently use this
> value?
>
> Thanks. Any assistance, along with cited sources, would be greatly
> appreciated. Cory and I do intend to make the final results of our
> research public.
>
> Thanks,
>
> H. Carvey
> "Windows Forensics and Incident Recovery"
> http://www.windows-ir.com
> http://windowsir.blogspot.com
>
> -----------------------------------------------------------------
> This list is provided by the SecurityFocus ARIS analyzer service.
> For more information on this free incident handling, management
> and tracking system please see: http://aris.securityfocus.com
>
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
[ reply ]