Ethical Hacking Training at InfoSec Institute

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Computer Forensics Computer-Forensics
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

USB devices and the Windows Registry

from [H Carvey] Network Security [Permanent Link]
Subject: USB devices and the Windows Registry
Date: 1 Feb 2005 12:45:57 -0000 


All,

Cory Altheide and I are conducting some research into USB devices and the 
Windows Registry.  In doing so, I've been trying to get in contact with folks 
at Microsoft to answer some questions with regards to the creation of certain 
Registry keys...most of the contacts have been several layers removed from me.  

I'd like to ask the questions here, as well, to see what kind of response I can 
get back from the community.

Our basic questions are these:

1.  When you connect a USB storage device to a Windows system (2K, XP, 2K3), 
Registry keys are created.  If they don't already exist, the 
HKLM\System\CurrentControlSet\Enum\USBStor key is created.  Beneath that key, a 
subkey containing the vendor name is created, and beneath the "vendor key", a 
key with a unique name is created for each device (I'll call this the "unique 
key").  On a test XP system, it looks like this:

HKLM\System\CurrentControlSet\Enum\USBStor
     \Disk&Ven_LEXAR&Prod_DIGITAL_FILM&Rev_/W1.
       \7&276114a5&0&______________040719030000008093F300000000000&0

According to some scant MSDN documentation, the final key name is unique to the 
device...each time the device is plugged into the Windows system, the same name 
will be used.  Also, if the device is plugged into other Windows systems, the 
same name will appear.

The question is, how is this key name created?  If something specific is pulled 
from the device, what is that artifact?  How is it retrieved; ie, via what API 
and data structure?  How is it then processed to develop the name of the 
"unique key"?

2.  Within the "unique key", there is a value called "ParentIdPrefix".  How is 
this value derived?  What API/data structure is used?  How does the system then 
subsequently use this value?

Thanks.  Any assistance, along with cited sources, would be greatly 
appreciated.  Cory and I do intend to make the final results of our research 
public.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
[More with this subject...]


<Prev in Thread] Current Thread [Next in Thread>
Next by Date:  RE: USB devices and the Windows Registry, Keifer, Trey
Next by Thread:  Re: USB devices and the Windows Registry, Bob Jones
Indexes:  [Date] [Thread] [Top] [All Lists]