(imported topic written by tim7ad91)
I’m writing an analysis property to show the start type of a driver service. These are services that are of type 1(System: Loaded by I/O subsystem. Specifies that the driver is loaded at kernel initialization).
The services inspector does not work (that I can tell) for these drivers (.sys types.) For example if wanted the start type of the service “USBSTOR” I normally would write:
start type of service “USBStor”
but that will not work.
So, I have to go to the registry. The relevance here does something similar with some error handling added.
:USBSTOR Driver Start Value
q:If (exists value “Start” of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR” of registry) Then (IF ((value “Start” of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR” of registry) <= 4)Then (Preceding texts of first “;” of (following texts of first (value “Start” of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR” of registry as string & “=”) of (“0=Boot;1=System;2=Auto;3=Manual;4=Disabled;”))) else “Invalid”) else “Missing”
The questions are:
- Are my assumption correct in that there isn’t a “service” inpspector to handle hardware driver related services.
- is the code above the most efficient, simplest way to approach it. It seems like I had to use my registry key path too many times, but couldn’t find a way to eliminate them with “it” or “whose/it”.
FYI… I had to repeat the code for all “external” storage devices… cdrom, flpydisk, sfloppy & usbstor
Thanks,
Tim