Microsoft USB descr...
 
Notifications
Clear all

Microsoft USB descriptors or MODS

5 Posts
2 Users
0 Likes
808 Views
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

While looking for other USB related things, I came across these
http//msdn.microsoft.com/en-us/library/windows/hardware/ff537430(v=vs.85).aspx

Devices that support Microsoft OS Descriptors must store a special USB string descriptor in firmware at the fixed string index of 0xEE. This string descriptor is called a Microsoft OS String Descriptor.

When a new device is attached to a computer for the first time, an operating system that supports Microsoft OS Descriptors will request the string descriptor that is at index 0xEE. The Microsoft OS String Descriptor contains an embedded signature field that the operating system uses to differentiate it from other strings that might be at index 0xEE. The presence of a string descriptor that contains the proper signature field at index 0xEE indicates to the operating system that the device supports Microsoft OS Descriptors. The Microsoft OS String Descriptor also provides the operating system with version information.

After the operating system requests a Microsoft OS String Descriptor from a device, it creates the following registry key

HLKM\SYSTEM\CurrentControlSet\Control\UsbFlags\vvvvpppprrrrr

The operating system creates a registry entry, named osvc, under this registry key that indicates whether the device supports Microsoft OS Descriptors. If the device does not provide a valid response the first time that the operating system queries it for a Microsoft OS String Descriptor, the operating system will make no further requests for that descriptor.

http//msdn.microsoft.com/en-us/library/windows/hardware/jj649944(v=vs.85).aspx

In the vvvvpppprrrrr key,
vvvv is a 4-digit hexadecimal number that identifies the vendor
pppp is a 4-digit hexadecimal number that identifies the product
rrrr is a 4-digit hexadecimal number that contains the revision number of the device.

Which it seems to me like not having been mentioned on the Forum.

It seemingly can provide - from a forensic standpoint - some info that can be useful to cross-check the contents of more common "USB device connection history" related keys, such as
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR\*

jaclaz

 
Posted : 27/01/2013 4:36 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 

We also found this key interesting, but haven't incorporated it into our reporting yet. You may want to check out our list of all the keys we believe are related to USB storage devices, at the bottom of this page

http//ArsenalRecon.com/apps/

If you find any more please give me a heads-up and I'll update the spreadsheet. On a somewhat related note, I haven't found any Microsoft documentation regarding the keys unique to Windows 8 in our list… and suspect we (computer forensics practitioners) may be on our own there!

Mark

 
Posted : 27/01/2013 8:56 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

We also found this key interesting, but haven't incorporated it into our reporting yet. You may want to check out our list of all the keys we believe are related to USB storage devices, at the bottom of this page

http//ArsenalRecon.com/apps/

To be picky (as I am) the MODS start from XP SP1.
Cannot say if it is due to the fact that I don't use "newish" versions of office and their .xslx format, but as seen in an earlier office verrsion (through the MS converter) the spreadsheet lists in the "upper" part MS urls OK, while in the second open and closing brackets become %28 and %29.

If you find any more please give me a heads-up and I'll update the spreadsheet.

Will do.
At first glance you are missing a few related to MPT (also the protocol and the WPD class of device is/was there in XP as well), see
http//www.forensicfocus.com/Forums/viewtopic/t=9881
http//www.forensicfocus.com/Forums/viewtopic/p=6563145/#6563145

OT 😯 can you believe, see
http//msdn.microsoft.com/en-us/windows/hardware/gg463179
that someone has "shortened" Bluetooth to "BLUTUTH"?

jaclaz

 
Posted : 27/01/2013 9:48 pm
ArsenalConsulting
(@arsenalconsulting)
Posts: 49
Eminent Member
 

Picky is good! We'll start getting more granular and include service pack levels when we know them.

Thanks for the heads-up on the other keys. Lots of downloads of the spreadsheet, but you are the first person to give us feedback. Much appreciated and we'll have a new version up soon.

 
Posted : 27/01/2013 10:12 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
Topic starter
 

Thanks for the heads-up on the other keys.

No prob. )
We are trying to learn/expand knowledge.

I haven't double/triple checked the spreadsheet, but there is a list a I made some time ago (for another scope)
http//www.msfn.org/board/topic/138563-usb-device-not-recognized/
http//www.msfn.org/board/topic/138563-usb-device-not-recognized/page__view__findpost__p__888222
and in your spreadsheet the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}
is missing.

Idea (quickly tested) but of course only a "starting point".
Run USBDEVIEW on a system
http//www.nirsoft.net/utils/usb_devices_view.html
Run Regmon on it (hitting refresh).
The Regmon log contains all keys accessed by the nice Nirsoft tool (that should be a superset of the ones involved, i.e. some keys in the log mught be not strictly connected to USB)
This is the list of the "strange" keys (I mean the ones with ID's within curly brackets) I get running the above on my system (XP SP2)
HKLM\SYSTEM\(Control Sets)\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}\0003
HKLM\SYSTEM\(Control Sets)\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{00873fdf-cafe-80ee-aa5e-00c04fb1720b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{1186654d-47b8-48b9-beb9-7df113ae3c67}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{215d3559-e677-4e8e-aa38-0e1fc3a92e9d}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{2accfe60-c130-11d2-b082-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{2c7089aa-2e0e-11d1-b114-00c04fc2aae4}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{2eb07ea0-7e70-11d0-a5d6-28db04c10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{378de44c-56ef-11d1-bc8c-00a0c91405dd}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
HKLM\System\(Control Sets)\Control\DeviceClasses\{3abf6f2d-71c4-462a-8a92-1e6861e6af27}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{3c0d501a-140b-11d1-b40f-00a0c9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{3e227e76-690d-11d2-8161-0000f8775bf1}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{456f868b-66cf-4bdf-bfb7-84de59cc2778}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{473db41c-cc0e-4ce7-89fe-1e980922806c}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{4747b320-62ce-11cf-a5d6-28db04c10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{4afa3d53-74a7-11d0-be5e-00a0c9062857}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{4d1e55b2-f16f-11cf-88cb-001111000030}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{4d36e978-e325-11ce-bfc1-08002be10318}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53172480-4791-11d0-a5d6-28db04c10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f5630a-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f5630e-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{53f56311-b6bf-11d0-94f2-00a0c91efb8b}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{5b45201d-f2f2-4f3b-85bb-30ff1f953599}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{62152103-2103-11d8-a524-000c76121847}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{65E8773D-8F56-11D0-A3B9-00A0C9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{6994AD04-93EF-11D0-A3CC-00A0C9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{6bdd1fc6-810f-11d0-bec7-08002be2092f}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{7162a293-9840-4107-8e3e-118f3cb0e922}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{811fc6a5-f728-11d0-a537-0000f8753ed1}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{86841137-ed8e-4d97-9975-f2ed56b4430e}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{86e0d1e0-8089-11d0-9ce4-08003e301f73}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{884b96c3-56ef-11d1-bc8c-00a0c91405dd}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{97b2cac0-9e83-45ac-9c87-fbb27e75b7e1}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{97ebaacb-95bd-11d0-a3ea-00a0c9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{97f76ef0-f883-11d0-af1f-0000f800845c}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{97fadb10-4e33-40ae-359c-8bef029dbdd0}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{9ea331fa-b91b-45f8-9285-bd2bc77afcde}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{a5dcbf10-6530-11d2-901f-00c04fb951ed}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{a7c7a5b1-5af3-11d1-9ced-00a024bf0407}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{ad498944-762f-11d0-8dcb-00c04fc3358c}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{ad809c00-7b88-11d0-a5d6-28db04c10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{bf963d80-c559-11d0-8a2b-00a0c9255ac1}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{d322f7c6-584c-4816-bc8a-23c87c1e61ef}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{d6c5066e-72c1-11d2-9755-0000f8004788}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{DDA54A40-1E4C-11D1-A050-405705C10000}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{dff220f3-f70f-11d0-b917-00a0c9223196}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{f18a0e88-c30c-11d0-8815-00a0c906bed8}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{fbf6f530-07b9-11d2-a71e-0000f8004788}
HKLM\SYSTEM\(Control Sets)\Control\DeviceClasses\{ffbb6e3f-ccfe-4d84-90d9-421418b03a8e}

jaclaz

 
Posted : 28/01/2013 12:06 am
Share: