Retrieving Devices From The Registry

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

I am trying to narrow down some information from the Windows registry on how
Windows deals with connected hardware.

Under HKLM/System/ControlSetxxx/Enum Windows lists a number of keys (e.g.
IDE, USB, USBSTOR) under each of these there are devices listed (e.g. IDE you
have IDE drives listed) what I am trying to find out is how Windows deals
with these keys.

I see some drives listed under IDE (e.g. CD Drives) that I have not
connected to this machine at any time.

Anyone who can shed some light on this part of the registry and how it is
deal with I would look forward to reading it.

Thanks
 
any particular reason you are editing devices using system registry.
Can make serious mistakes.
 
Dennis,

I am a forensic investigator working a case that involves devices attached
to a system. I am looking for some information on the previous registry key
to aid in the investigation.

Thanks
 
ForensicFrank said:
Dennis,

I am a forensic investigator working a case that involves devices
attached to a system. I am looking for some information on the
previous registry key to aid in the investigation.
Click to expand...

In this case, you should contact Microsoft tech support directly or
consult another professional forensic investigator. If you make a
mistake, your client's case will be compromised. This is not something
you should be troubleshooting in a newsgroup. When you contact
Microsoft, ask to speak to someone higher up in the support tier.

Malke
 
Malke

Just to clarify, this is just one piece of many...it was posted here looking
to find some answers. I will be contacting Microsoft but thought I woudl ask.

Thanks for your concern
 
ForensicFrank said:
Malke

Just to clarify, this is just one piece of many...it was posted here
looking to find some answers. I will be contacting Microsoft but
thought I woudl ask.
Click to expand...
Glad to hear that. Remember, this is a public newsgroup hosted on MS
servers. While some MS employees occasionally post in these newsgroups,
the majority of posters are volunteers providing peer-to-peer support.
The chances of you getting someone with the necessary degree of
expertise in a specialized and demanding field such as computer
forensics are not high.

Good luck,

Malke
 
ForensicFrank said:
I am a forensic investigator working a case that involves devices attached
to a system. I am looking for some information on the previous registry key
to aid in the investigation.
Click to expand...

Then please ask in microsoft.public.development.device.drivers -
it is the only newsgroup here where you can get dirty technical details.

Basically, Windows uses the Enum branch to store configuration
and state data of all installed devices - either connected or not.
When you remove a device, it's info persists there because Windows
does not know whether the device will come back or not.

And yes, IMHO this can be used as evidence that a removable disk
was connected to the machine by a forensic investigator :)

Regards,
--PA
 
Some months ago, while surfing the web, I stumbled across a web site which was
describing forensic software that can read Windows disks (including NTFS.)
You may want to check in to that possibility.
 
Back
Top