Bob,

Thanks for the response.

> My first assumption about this is that the unique
> key is part of the
> device instance ID, which includes the USBSTOR part
> on down to the unique number.

To be honest, what we're trying to avoid, or at least
minimize, is assumptions.

> This can be seen in the details tab
> in the hardware
> properties of the USB device. I would assume that
> there is a serial
> number or GUID on each USB device (which you have
> validated yourself)

We're also trying to avoid assumptions. However, the
devices do have a GUID, but that does nothing to
address the questions I posed in my original post.

> and that number is used by Windows to keep
> the devices
> separate when reading and writing,

This would seem to be the case, but with regards to
information pulled from the USB device (firmware)
itself, what we're trying to determine (and support
with the appropriate documentation) is just how the
number or value is used by Windows...hence the
question about APIs and data structures.

> I would think in-depth
> studying of any PnP API or USB-related stuff would
> be a good lead.

You're right, it is. However, we're also trying to
get documentation to support our findings.

Again, thanks for your response.

Harlan

=====
------------------------------------------
Harlan Carvey, CISSP
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com
------------------------------------------

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com

[ reply ]