| Author |
Message |
ForensicFrank
Guest
|
 Posted:
Wed Nov 09, 2005 5:26 pm Post subject:
Retrieving Devices From The Registry |
|
|
I am trying to narrow down some information from the Windows registry on how
Windows deals with connected hardware.
Under HKLM/System/ControlSetxxx/Enum Windows lists a number of keys (e.g.
IDE, USB, USBSTOR) under each of these there are devices listed (e.g. IDE you
have IDE drives listed) what I am trying to find out is how Windows deals
with these keys.
I see some drives listed under IDE (e.g. CD Drives) that I have not
connected to this machine at any time.
Anyone who can shed some light on this part of the registry and how it is
deal with I would look forward to reading it.
Thanks |
|
| Back to top |
|
 |
Dixonian69
Guest
|
| Posted:
Thu Nov 10, 2005 1:27 am Post subject:
RE: Retrieving Devices From The Registry |
|
|
any particular reason you are editing devices using system registry.
Can make serious mistakes.
--
Dennis S.
I''m from Illinois. I hope I helped you. Good Luck.
"ForensicFrank" wrote:
| Quote: | I am trying to narrow down some information from the Windows registry on how
Windows deals with connected hardware.
Under HKLM/System/ControlSetxxx/Enum Windows lists a number of keys (e.g.
IDE, USB, USBSTOR) under each of these there are devices listed (e.g. IDE you
have IDE drives listed) what I am trying to find out is how Windows deals
with these keys.
I see some drives listed under IDE (e.g. CD Drives) that I have not
connected to this machine at any time.
Anyone who can shed some light on this part of the registry and how it is
deal with I would look forward to reading it.
Thanks
|
|
|
| Back to top |
|
|
ForensicFrank
Guest
|
| Posted:
Thu Nov 10, 2005 5:26 pm Post subject:
RE: Retrieving Devices From The Registry |
|
|
Dennis,
I am a forensic investigator working a case that involves devices attached
to a system. I am looking for some information on the previous registry key
to aid in the investigation.
Thanks
"Dixonian69" wrote:
| Quote: | any particular reason you are editing devices using system registry.
Can make serious mistakes.
--
Dennis S.
I''m from Illinois. I hope I helped you. Good Luck.
"ForensicFrank" wrote:
I am trying to narrow down some information from the Windows registry on how
Windows deals with connected hardware.
Under HKLM/System/ControlSetxxx/Enum Windows lists a number of keys (e.g.
IDE, USB, USBSTOR) under each of these there are devices listed (e.g. IDE you
have IDE drives listed) what I am trying to find out is how Windows deals
with these keys.
I see some drives listed under IDE (e.g. CD Drives) that I have not
connected to this machine at any time.
Anyone who can shed some light on this part of the registry and how it is
deal with I would look forward to reading it.
Thanks
|
|
|
| Back to top |
|
|
Malke
Guest
|
| Posted:
Thu Nov 10, 2005 5:26 pm Post subject:
RE: Retrieving Devices From The Registry |
|
|
ForensicFrank wrote:
| Quote: | Dennis,
I am a forensic investigator working a case that involves devices
attached to a system. I am looking for some information on the
previous registry key to aid in the investigation.
|
In this case, you should contact Microsoft tech support directly or
consult another professional forensic investigator. If you make a
mistake, your client's case will be compromised. This is not something
you should be troubleshooting in a newsgroup. When you contact
Microsoft, ask to speak to someone higher up in the support tier.
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User |
|
| Back to top |
|
|
ForensicFrank
Guest
|
| Posted:
Thu Nov 10, 2005 5:26 pm Post subject:
RE: Retrieving Devices From The Registry |
|
|
Malke
Just to clarify, this is just one piece of many...it was posted here looking
to find some answers. I will be contacting Microsoft but thought I woudl ask.
Thanks for your concern
"Malke" wrote:
| Quote: | ForensicFrank wrote:
Dennis,
I am a forensic investigator working a case that involves devices
attached to a system. I am looking for some information on the
previous registry key to aid in the investigation.
In this case, you should contact Microsoft tech support directly or
consult another professional forensic investigator. If you make a
mistake, your client's case will be compromised. This is not something
you should be troubleshooting in a newsgroup. When you contact
Microsoft, ask to speak to someone higher up in the support tier.
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User
|
|
|
| Back to top |
|
|
Malke
Guest
|
| Posted:
Thu Nov 10, 2005 5:26 pm Post subject:
RE: Retrieving Devices From The Registry |
|
|
ForensicFrank wrote:
| Quote: | Malke
Just to clarify, this is just one piece of many...it was posted here
looking to find some answers. I will be contacting Microsoft but
thought I woudl ask.
Glad to hear that. Remember, this is a public newsgroup hosted on MS |
servers. While some MS employees occasionally post in these newsgroups,
the majority of posters are volunteers providing peer-to-peer support.
The chances of you getting someone with the necessary degree of
expertise in a specialized and demanding field such as computer
forensics are not high.
Good luck,
Malke
--
Elephant Boy Computers
www.elephantboycomputers.com
"Don't Panic!"
MS-MVP Windows - Shell/User |
|
| Back to top |
|
|
Pavel A.
Guest
|
| Posted:
Fri Nov 11, 2005 12:20 am Post subject:
RE: Retrieving Devices From The Registry |
|
|
"ForensicFrank" wrote:
| Quote: | I am a forensic investigator working a case that involves devices attached
to a system. I am looking for some information on the previous registry key
to aid in the investigation.
|
Then please ask in microsoft.public.development.device.drivers -
it is the only newsgroup here where you can get dirty technical details.
Basically, Windows uses the Enum branch to store configuration
and state data of all installed devices - either connected or not.
When you remove a device, it's info persists there because Windows
does not know whether the device will come back or not.
And yes, IMHO this can be used as evidence that a removable disk
was connected to the machine by a forensic investigator :)
Regards,
--PA |
|
| Back to top |
|
|
|
|
|
|
FAQ
Memberlist
Register
Profile
Log in to check your private messages
Log in