NIC Binding Order by Name

(imported topic written by MrFixit)

So here is one that I could use some help on from the experts.

I’m looking to create an analysis to report the NIC binding order for our multi-nic servers.

What I have is relevence that will give the GUIDs for the NICS and I know how to pull the name given the NIC, but I can’t quite get them married together.

q: substrings between “%00” of unique values of (values “Bind” of key “HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Tcpip\Linkage” of registry as string)

A: \Device{AE38A82D-0FFB-426E-B228-A6EA8E38AB9A}

A: \Device{F91BE466-978E-4130-A5C0-33FE931872DA}

A: \Device{DCF09FCB-6F64-4205-82AA-A74891CB86F8}

A: \Device\NdisWanIp

q: (values “Name” of key “HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Network{4D36E972-E325-11CE-BFC1-08002BE10318}{DCF09FCB-6F64-4205-82AA-A74891CB86F8}\Connection” of registry)

A: disablethisnic

(imported comment written by BenKus)

Hi MrFixit,

I can help you out with your involved relevance query… but before that, I think there might be an easier way… Have you ever tried using the “connection of network” inspector? To get the data I think you want, it will look like this:

q: (names of it, guids of it, device names of it) of connections of network
A: Bluetooth Network Connection 2, {E21E9FC4-1854-491E-B590-A11CAFCDFB9E}, Bluetooth Device (Personal Area Network) #2
A: Local Area Connection, {6C3BFDD4-AA08-4CC5-9343-7CE8EFF032A8}, Broadcom NetXtreme 57xx Gigabit Controller
A: Wireless Network Connection, {0CC742C8-E821-420F-8C7D-003319990FC0}, Intel® PRO/Wireless 3945ABG Network Connection
A: Network Connect Adapter, {5AF8E750-3B9B-4139-A681-BD22B0458490}, Juniper Network Connect Virtual Adapter
A: 3G Connection, {0FD7ACBF-8102-4BDA-8B39-9C9C51E7D922}, Conexant HDA D110 MDC V.92 Modem

(imported comment written by MrFixit)

Boy did I overlook that one. This is what resulted on my test system. The list doesn’t match the bind order but it did list al of the NICS of interest.

q: (names of it, guids of it, device names of it) of connections of network

A: Public, {FFF68672-A5DD-4E3D-8CE0-37BBCEBDC722}, HP NC7782 Gigabit Server Adapter

A: Backup, {AE38A82D-0FFB-426E-B228-A6EA8E38AB9A}, HP NC7782 Gigabit Server Adapter #2

A: disablethisnic, {DCF09FCB-6F64-4205-82AA-A74891CB86F8}, HP NC7170 Dual Gigabit Server Adapter

A: disable, {F91BE466-978E-4130-A5C0-33FE931872DA}, HP NC7170 Dual Gigabit Server Adapter #2

And using it I can do the following:

q: name of connection whose (guid of it = “{AE38A82D-0FFB-426E-B228-A6EA8E38AB9A}”) of network

A: Backup

but I get a “A singular expression is required” when I and use the bind values in the whose statement. Probably an issue with the {} too.

I also have been able to clean up the GUIDs from the Bind order reg key. But then I noticed that the values were not accurate. NdisWanIp should not be the 4th entry.

Here is the value from the registry:

\Device{FFF68672-A5DD-4E3D-8CE0-37BBCEBDC722}

\Device{AE38A82D-0FFB-426E-B228-A6EA8E38AB9A}

\Device{F91BE466-978E-4130-A5C0-33FE931872DA}

\Device{DCF09FCB-6F64-4205-82AA-A74891CB86F8}

\Device\NdisWanIp

q: (following texts of firsts “\Device” of substrings between “%00” of unique values of (values “Bind” of key “HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Tcpip\Linkage” of registry as string))

A: {AE38A82D-0FFB-426E-B228-A6EA8E38AB9A}

A: {F91BE466-978E-4130-A5C0-33FE931872DA}

A: {DCF09FCB-6F64-4205-82AA-A74891CB86F8}

A: NdisWanIp

(imported comment written by Lee Wei)

I have an old statement that I believe will return the adapters in the binding order.

Can you please give this a try?

q: (description of it as string & (if (name of it as right trimmed string=("{" & (following text of first "{" of preceding text of first "}" of (value "Bind" of key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage" of registry as string)) & "}")) then " (Primary)" else "") & " (" & address of it as string & ")") of adapters of network
A: Broadcom NetXtreme 57xx Gigabit Controller - Packet Scheduler Miniport (192.168.1.103)
A: Intel(R) PRO/Wireless 3945ABG Network Connection - Packet Scheduler Miniport (0.0.0.0)
A: VMware Virtual Ethernet Adapter for VMnet8 (192.168.233.1)
A: VMware Virtual Ethernet Adapter for VMnet1 (192.168.142.1)

(imported comment written by MrFixit)

Thanks Ben and Lee.

With your help I have come up with the following which meets my immediate need.

q: (name of it as string & (if (name of it as right trimmed string=("{" & (following text of first “{” of preceding text of first “}” of (value “Bind” of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage” of registry as string)) & “}”)) then " (Primary)" else “”) & " (" & device name of it as string & “)”) of connections of network

A: Public (HP NC7782 Gigabit Server Adapter)

A: Backup (HP NC7782 Gigabit Server Adapter #2)

A: disablethisnic (HP NC7170 Dual Gigabit Server Adapter)

A: disable (HP NC7170 Dual Gigabit Server Adapter #2)

(imported comment written by MrFixit)

OK. It turns out the what looked to be a solution was not one at all. 2 issues with it. It doesn’t work on Win2K nor does it really represent the NIC bind order. So I’m back at it not that I have some time. And I’m trying to avoid the inspectors that don’t work on Win2K.

The following relevance does accurately return the guid for the NICs in Bind order. We rename all of our NICs with names like Public, Backup, Heartbeat and so forth so I need to actually change the guid list to a name list such as:

Public

Backup

Heartbeat

(following texts of firsts “\Device” of (substrings separated by “%00” of concatenation of (if (it = character 0) then “%00” else it) of characters of (values “Bind” of key “HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Tcpip\Linkage” of registry as string)))

A: {FFF68672-A5DD-4E3D-8CE0-37BBCEBDC722}

A: {AE38A82D-0FFB-426E-B228-A6EA8E38AB9A}

A: {DCF09FCB-6F64-4205-82AA-A74891CB86F8}

A: {F91BE466-978E-4130-A5C0-33FE931872DA}

I’ve been able to mix the above relevance in with another registry lookup that gives me the name of that NIC that belongs to that GUID, but I always seem to get stuck with an error like the one below since the embedded relevance has plural results.

Here is one of those attempts

q: (values “Name” of it) of (keys ((“HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Network{4D36E972-E325-11CE-BFC1-08002BE10318}”) & ((following text of firsts “\Device” of (substrings separated by “%00” of concatenation of (if (it = character 0) then “%00” else it) of characters of (values “Bind” of key “HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Tcpip\Linkage” of registry as string))) of registry) & “\Connection”) of registry)

A: Public

E: Singular expression refers to non-unique object.

My head really gets spinning when I start reading other examples of IT and tuples.

(imported comment written by BenKus)

Since you are iterating through so many pieces of the registry, it is hard to keep your parenthesis, "it"s, and everything else in order… The trick is that you have a complicated expression, but every time you iterate across keys you need to use an “it”, which can be confusing to put in the right place…

Try this:

((values “Name” of it) of keys ((“HKEY_LOCAL_MACHINE\system\ControlSet001\Control\Network{4D36E972-E325-11CE-BFC1-08002BE10318}” & it & “\Connection”) of (following texts of firsts “\Device” of (substrings separated by “%00” of concatenation of (if (it = character 0) then “%00” else it) of characters of (values “Bind” of key “HKEY_LOCAL_MACHINE\system\CurrentControlSet\Services\Tcpip\Linkage” of registry as string)))) of registry)

Ben

(imported comment written by MrFixit)

Ben - Initially that looks great… and you responded to quickly to it.

I was spending so much time just tying to understand what Brolly was trying to say in http://forum.bigfix.com/viewtopic.php?id=965 and other threads that were trying to do something that looked similar.

What are the tricks of the trade? I’ve tried using the different views possible in the relevance debugger and I’ve gleaned what I can from various examples in the forum but when it comes to these complicated ones I still often resort to a script to do the job.

thanks

-Gary