Skip - I suggest that you obtain a registry monitoring program and experiment for yourself for several reasons. One, you built confidence in your own abilities and two, you will experience some of the technical issues and create solutions for them.
Yes and Yes/No
When you obtain your own answer too your previous questions, I think you will see the light and be able to answer your own question.
Give a man a fish and he can eat today. Teach the man how to fish and he will be able to eat his whole life.
> When you use a Thumb drive doesn't it change the contents of the Reg and Main Memory?
Yes, it does. Of course, *anything* you do on a live system is going to change memory. Changes to the Registry caused by inserting a USB thumb drive has been well-documented.
> Does each Thumb Drive have a unique Reg key?
Perhaps.
> If the system you are responding to, or executing CF on, was
> compromised/abused by an individual using the same brand (make and
> model) of pen drive, then how could you tell if the contents of the Reg
> and Main Memory are from your Thumb drive or the malicous one?
If the model of thumb drive you're using doesn't have a serial number, that will be an issue. There is a way to tell…based on the LastWrite time of the key containing the serial number or "unique" identifier generated by the PnP Manager (if the device does not have a serial number). That, and the contents of the setupapi.log file.
Ah…
example….
#-019 Searching for hardware ID(s) usbstor\disklexar___jumpdrive_secure1000,usbstor\disklexar___jumpdrive_secure,usbstor\disklexar___,usbstor\lexar___jumpdrive_secure1,lexar___jumpdrive_secure1,usbstor\gendisk,gendisk
#-018 Searching for compatible ID(s) usbstor\disk,usbstor\raw
#-198 Command line processed C\WINDOWS\system32\services.exe
#I022 Found "GenDisk" in C\WINDOWS\inf\disk.inf; Device "Disk drive"; Driver "Disk drive"; Provider "Microsoft"; Mfg "(Standard disk drives)"; Section name "disk_install".
#I023 Actual install section [disk_install.NT]. Rank 0x00000006. Effective driver date 07/01/2001.
#-166 Device install function DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [disk_install] in "c\windows\inf\disk.inf".
#I320 Class GUID of device remains {4D36E967-E325-11CE-BFC1-08002BE10318}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-166 Device install function DIF_INSTALLDEVICEFILES.
#I124 Doing copy-only install of "USBSTOR\DISK&VEN_LEXAR&PROD_JUMPDRIVE_SECURE&REV_1000\302AC707095120151104&0".
#-166 Device install function DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function DIF_INSTALLINTERFACES.
#-011 Installing section [disk_install.NT.Interfaces] from "c\windows\inf\disk.inf".
#I054 Interfaces installed.
#-166 Device install function DIF_INSTALLDEVICE.
#I123 Doing full install of "USBSTOR\DISK&VEN_LEXAR&PROD_JUMPDRIVE_SECURE&REV_1000\302AC707095120151104&0".
#I121 Device install of "USBSTOR\DISK&VEN_LEXAR&PROD_JUMPDRIVE_SECURE&REV_1000\302AC707095120151104&0" finished successfully.
[2006/05/23 162246 688.13 Driver Install]
It would seem as if this thumbdrive is
\302AC707095120151104&0
i suppose you may drop the &0 at the end or the \3 or \30 or \302A
When you say
"unique" identifier generated by the PnP Manager
Does that mean it would be different for every system…or every version of windows OS?
Interesting…but I can't see it being a problem unless the PnP Manager uses some sorta random seed.
Now…this is neat. As I was writing this I started searching my HD for this C707095120151104 (and you can leave on the 32A0 but drop the &0).
And the string showed up in this file
C\Windows\PcHealth\HelpCtr\DataColl\
CollectedData_2256.xml
and some itterations of that like 2766 and 2826 and so on.
And in that file was the Reg Key entry.
In that xml file it is interesting to look at all the things tagged with <keyvalue>
And some of that is found in the registry under the KeyFolder(is there such a term…) called DeviceClasses
It would seem that the OS (through the helpctr.exe program) needs/likes to register things so it can remember what used the bus/device. That makes me think that everything when plugged into the mother board directly or indirectly gets "fingerprinted" for the sake of support..?..
Hum…I wonder what the odds where that if a system had been used/abused for malicious perpuposes, then dismantled. Could you through trial and error and carfull examination of the results of the HelpCtr.exe and the setupapi log and others reconstruct the exact system?
With all the perifierals and memory "stix" and usb devices…etc…?
Further more, if you had destroyed HD, could you say these pieces of HD came from that computer (dismanteled or not)…or at least were used in that computer from time X to time Y?
I'm just full of questions today.
lol
)
Have a great day and thanks for the info.
Skip
ask a simple question..and lots of good comes of it
yeah, no kidding. Particularly the "lol" part…