I was just working on this and I thought I would share it with everyone…
One customer asked about getting the serial numbers of USB Storage Devices… Based on some quick research, I came up with:
following texts of lasts “” of preceding texts of lasts “&” of string values whose (it as lowercase starts with “usbstor”) of selects “PNPDeviceID FROM Win32_DiskDrive” of wmi
I tested this on XP and Vista for 3 different drives (old, sorta new, very new) and it seemed to work well in these cases, but I recommend you test in your own environments.
Additionally, if you were looking to compare the last few digits of the serial number to see if they were in a specific range, (like maybe check if the last 6 digits were between 910000 and 920000) you could do something like this:
q: (it > 910000 AND it < 920000) of (last 6 of it as integer) of following texts of lasts “” of preceding texts of lasts “&” of string values whose (it as lowercase starts with “usbstor”) of selects “PNPDeviceID FROM Win32_DiskDrive” of wmi
A: True
I’m trying to allow only certain serial numbers be able to use usb storage. I would like to know if these devices with the allowed serial numbers have been plugged in to a computer…
q: value “0” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum” of registry as string contains(“2GE2DXSB”)
A: True
q: value “1” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum” of registry as string contains “6&1162fe8f&0&00071”
A: False
q: value “0” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum” of registry as string contains(“2GE2DXSB”) OR value “1” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum” of registry as string contains “6&1162fe8f&0&00071”
A: True
of course it would be too much if i have to write down everything…
i’m trying to make it this way: if usbport1 or usbport2 or usbport3 or usbport4 contains specifiedsn1 or specifiedsn2 or speficiedsn3,… specifiedsn50, then change the start value to 3 (i already changed the value to 4).
is it possible to do it? anyone has any other method? i realized it’s not an effective one …thanks…
You might try this to adjust your relevance to make it easier to add numbers:
“;6&1162fe8f&0&00071;2GE2DXSB;” contains ((";" & it & “;” ) of concatenation “;” of (it as string) of values of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\USBSTOR\Enum” of registry)
Since not all USB Mass Storage device have hard coded serial numbers, they all do have hard coded and unique deivce IDs. This device ID also matches with the registry key name. By using this technique, you are able to report on a connected device verus just the history.
Here is the relevance code for a connected USB and the associated device id
If (exists string values whose (it as lowercase starts with “usbstor”) of selects “PNPDeviceID from Win32_DiskDrive” of wmi)
Then ((((if exists string value of property “Model” of it then string value of property “Model” of it else “n/a”), (if exists string value of property “PNPDeviceID” of it then (following texts of lasts “” of preceding texts of lasts “&” of string values whose (it as lowercase starts with “usbstor”) of property “PNPDeviceID” of it) else “n/a”)) of (select objects “Model,PNPDeviceID from Win32_DiskDrive” of wmi)) as string)
Else (“No USB Storage Devices Connected”)
I broke it apart so you can see the different pieces working.
Additionally – here is the corresponding relevance for pulling the Historical Connected USB devices
if (exists key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry) then ((if exists value “FriendlyName” of it then (value “FriendlyName” of it as string) else “”) & " – " & (if exists name of it then (preceding text of lasts “&” of name of it as string) else “”)) of keys of keys of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR” of registry else “None”
I have also found that by using the Device ID – I can also pull information about Apple iPod/iPhone devices to shutdown the USB port (not “real-time”, small delay) and prevant automatic application launches.
…thanks…