I am trying to work on an analysis that will alert us when someone plugs a USB thumb drive into their PC that isn’t “white-listed”. I found this registry key that has good information about it and so I have written this code:
q: (name of it,last write times of it) of keys whose( name of it as lowercase contains “#storage#volume#” AND name of it as lowercase contains “disk&ven”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}” of registry
A: ##?#STORAGE#VOLUME#_??_RIMMPTSK#DISK&VEN_RICOH&PROD_MMCSTORAGE&REV_1.00#SD0001#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Wed, 12 Oct 2011 11:56:14 -0500 )
A: ##?#STORAGE#VOLUME#_??USBSTOR#DISK&VEN_GENERIC&PROD&REV_6000#12345678901234567890&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Wed, 12 Oct 2011 13:59:56 -0500 )
A: ##?#STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_IRONKEY&PROD_SECURE_DRIVE&REV_2.08#00553839&1#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Thu, 13 Oct 2011 07:55:49 -0500 )
A: ##?#STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_112&REV_PMAP#000AEBFFD790B950E30C0390&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Wed, 12 Oct 2011 13:35:57 -0500 )
A: ##?#STORAGE#VOLUME#_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DTVAULT_PRIVACY&REV_104#001E0BB89D745B920D1519D1&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Thu, 13 Oct 2011 07:59:22 -0500 )
T: 1.851 ms
what I’d like is to get it to only return what is only the vendor and the product. So for the last answer, I’d like “Kingston - DTVAULT_PRIVACY”. Is this possible? Thanks
q: (preceding texts of first “&PROD” of it, preceding texts of first “&REV_” of following texts of first “&PROD_” of it) of following texts of firsts “VEN_” of (" ##?#STORAGE#VOLUME#??RIMMPTSK#DISK&VEN_RICOH&PROD_MMCSTORAGE&REV_1.00#SD0001#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Wed, 12 Oct 2011 11:56:14 -0500 "; "##?#STORAGE#VOLUME#??USBSTOR#DISK&VEN_GENERIC&PROD&REV_6000#12345678901234567890&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Wed, 12 Oct 2011 13:59:56 -0500 )";" ##?#STORAGE#VOLUME#??USBSTOR#DISK&VEN_IRONKEY&PROD_SECURE_DRIVE&REV_2.08#00553839&1#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Thu, 13 Oct 2011 07:55:49 -0500 )"; "##?#STORAGE#VOLUME#??USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_112&REV_PMAP#000AEBFFD790B950E30C0390&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Wed, 12 Oct 2011 13:35:57 -0500 )"; "##?#STORAGE#VOLUME#??_USBSTOR#DISK&VEN_KINGSTON&PROD_DTVAULT_PRIVACY&REV_104#001E0BB89D745B920D1519D1&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, ( Thu, 13 Oct 2011 07:59:22 -0500 )")
This is really good, thank you. May I ask how to combine what you have with what I have to make it find the key in the registry and then return the answers you have? I am afraid to admit I’m not very good at this coding stuff. Thanks.
(preceding texts of first “&PROD” of it, preceding texts of first “&REV_” of following texts of first “&PROD_” of it) of following texts of firsts “VEN_” of ((name of it,last write times of it) of keys whose( name of it as lowercase contains “#storage#volume#” AND name of it as lowercase contains “disk&ven”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}” of registry)
That is what I had gotten, but I get a respons as follows:
q:(preceding texts of first “&PROD” of it, preceding texts of first “&REV_” of following texts of first “&PROD_” of it) of following texts of firsts “VEN_” of ((name of it,last write times of it) of keys whose( name of it as lowercase contains “#storage#volume#” AND name of it as lowercase contains “disk&ven”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}” of registry)
q:(preceding texts of first “&PROD” of it, preceding texts of first “&REV_” of following texts of first “&PROD_” of it) of following texts of firsts “VEN_” of (names of keys whose( name of it as lowercase contains “#storage#volume#” AND name of it as lowercase contains “disk&ven”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}” of registry)
That seems to do the trick, it doesn’t apparently like the "last write times of it) being in there. Thank you.
q:((preceding texts of first “&PROD” of it, preceding texts of first “&REV_” of following texts of first “&PROD_” of it) of following texts of firsts “VEN_” of names of it,last write times of it) of keys whose( name of it as lowercase contains “#storage#volume#” AND name of it as lowercase contains “disk&ven”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\DeviceClasses{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}” of registry