Checking USB status

(imported topic written by tim7ad91)

I’m writing an analysis property to show the start type of a driver service. These are services that are of type 1(System: Loaded by I/O subsystem. Specifies that the driver is loaded at kernel initialization).

The services inspector does not work (that I can tell) for these drivers (.sys types.) For example if wanted the start type of the service “USBSTOR” I normally would write:

start type of service “USBStor”

but that will not work.

So, I have to go to the registry. The relevance here does something similar with some error handling added.

:USBSTOR Driver Start Value

q:If (exists value “Start” of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR” of registry) Then (IF ((value “Start” of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR” of registry) <= 4)Then (Preceding texts of first “;” of (following texts of first (value “Start” of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR” of registry as string & “=”) of (“0=Boot;1=System;2=Auto;3=Manual;4=Disabled;”))) else “Invalid”) else “Missing”

The questions are:

  1. Are my assumption correct in that there isn’t a “service” inpspector to handle hardware driver related services.
  2. is the code above the most efficient, simplest way to approach it. It seems like I had to use my registry key path too many times, but couldn’t find a way to eliminate them with “it” or “whose/it”.

FYI… I had to repeat the code for all “external” storage devices… cdrom, flpydisk, sfloppy & usbstor

Thanks,
Tim

(imported comment written by BenKus)

Hey Tim,

This is pretty good… I think you figured everything out nicely.

To answer your questions:

  1. Yes. I think you are correct. Our services inspector lists the same as the “services” dialog, which doesn’t seem to include these hardware driver related services.

  2. Your expression seems fine to me… It probably is possible to reduce by eliminating some of the error checking, but it is probably best the way it is.

Ben

(imported comment written by tim7ad91)

Thanks Ben. I impleted it and it works well.