Wireless Driver Info

Hi All,

Im having an issue with getting wireless manufacturer and driver #. We currently have this analysis in our environment and it works perfectly except for two model laptops, Lenovo T420 and T430’s.

the code is :
if exist ((keys of it) whose(value “DriverDesc” of it as string as lowercase contains “wireless” or it as string as lowercase contains “wifi” or it as string as lowercase contains “centrino”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}” of native registry) then ((value “DriverDesc” of it),(value “DriverVersion” of it)) of ((keys of it) whose(value “DriverDesc” of it as string as lowercase contains “wireless” or it as string as lowercase contains “wifi” or it as string as lowercase contains “centrino”) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}” of native registry) as string else “N/A”

In the Fixlet debugger is returns the value of “n/a”.

I have verified the values are in the registry, i also split the analysis in two pieces and i can read the manufacturer value and driver version.

Can anyone take alook and see what i am doing wrong?

Thanks

I gave up on trying to pull this kind of information from the registry, and ended up pulling the necessary information from WMI instead. The following are vendor agnostic and excludes all ethernet connections that we’ve found.

Device Name:
string values of selects “DeviceName from Win32_PnPSignedDriver where DeviceClass=‘Net’ and DeviceID like ‘PCI%25’ and not InfName=‘netvwifimp.inf’ and not DeviceName like ‘%25Ethernet%25’ and not DeviceName like ‘%25Gigabit%25’ and not DeviceName like ‘%25GBE%25’ and not DeviceName like ‘%25/1000%25’ and not DeviceName like ‘%25GigE%25’” of wmis

DeviceDriverVersion:
string values of selects “DriverVersion from Win32_PnPSignedDriver where DeviceClass=‘Net’ and DeviceID like ‘PCI%25’ and not InfName=‘netvwifimp.inf’ and not DeviceName like ‘%25Ethernet%25’ and not DeviceName like ‘%25Gigabit%25’ and not DeviceName like ‘%25GBE%25’ and not DeviceName like ‘%25/1000%25’ and not DeviceName like ‘%25GigE%25’” of wmis

You can also pull other selects like DriverProviderName and DriverDate, but we’ve had less use for these.

While these are pretty straight forward inspections they do use WMI; since WMI queries place a higher load on the endpoint than the lighter registry inspections, and since we don’t expect values to change too dramatically, we typically only pull these types of properties more than once every 7 days.

In terms of relevance, you may need to escape the curly brackets in your query. I’ll do some testing and see what I can come up with.

OK, so using plurality in your statements is definitely needed.

exists instead of exist
keys instead of key
(x86 registries;x64 registries) instead of native registry (some times, may not always be applicable, like in this case; this is just general good practice where possible)

Your relevance fails on one of my machines because the key doesn’t exist in my case, so it throws a singular expression error. I changed every singular statement to a plural, and got an N/A result.

Then, you also seem to have a typo in "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}

In my registry, this key does exist but you’re missing a slash between class and {4D36etc.

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}

Q: exists keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}” of native registry
A: True
T: 0.072 ms
I: singular boolean

Since I don’t have a wireless card on my test machines, I’ve used display instead, but using plurality you could do something like this to simplify the statement:
Q: (values “DriverDesc” of it, values “DriverVersion” of it) of keys of keys whose (value “Class” of it as string as lowercase contains “display”) of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class” of native registries
A: Intel® HD Graphics, 9.17.10.4459
T: 2.111 ms
I: plural ( registry key value, registry key value )

Simply substitute Wireless or whatever the class type is for Display, and you should be golden. I think this achieves what you were looking for in a simpler, more efficient way.

For network cards, you’d look at subkeys of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318} as you were doing at the start of the thread. But instead of grabbing strings out of DriverDesc, I’d suggest filtering on the “*IfType”, “*MediaType”, and “*PhysicalMediaType” values instead.

See https://msdn.microsoft.com/en-us/library/windows/desktop/aa814491(v=vs.85).aspx for the definitions.

I don’t have any wireless cards handy to check, but it looks like these are the values that should define any type of network card in Windows (includes ability to distinguish Ethernet, ATM, Token-Ring, WiFi, WiMAX, etc.)

thanks for all of the help, i modified the relevance slightly with plurals, it still didn’t make a difference and im not that familiar with WMI. here is the code:

if exists ((keys of it) whose(value “AdapterModel” of it as string as lowercase contains “wireless” or it as string as lowercase contains “wifi” or it as string as lowercase contains “centrino”) of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}” of native registries) then ((value “AdapterModel” of it),(value “DriverVersion” of it)) of ((keys of it) whose(value “DriverDesc” of it as string as lowercase contains “wireless” or it as string as lowercase contains “wifi” or it as string as lowercase contains “centrino”) of keys “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}” of native registries) as string else “N/A”

There is still a typo in this string where a slash is missing between \Class and {4D3. Should be

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4D36E972-E325-11CE-BFC1-08002BE10318}” of native registries

strange, when i copy and paste it into the reply it goes away

You should be using bbcode “code” tags to wrap your relevance statements.

\{
{

Same string typed into the reply, but the forum interprets the latter as html code, thus removing the \ prior to the {.

That being said, I would recommend reviewing the other suggestions beyond just plurality to find the necessary data.

As I posted before, try to retrieve the Interface type, Media type, and Physical Media Types to figure out what is wireless instead of looking in the string descriptions. Run the following in an Analysis and let me know what the results look like for some of your wireless devices and how they differ from your wired connections.

q: (values "DriverVersion" of it, values "DriverDesc" of it, values "*IfType" of it, values "*MediaType" of it, values "*PhysicalMediaType" of it) of keys whose (true) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" of native registry
A: 10.0.14393.0, Microsoft Kernel Debug Network Adapter, 6, 0, 14
A: 12.15.22.6, Intel(R) 82579LM Gigabit Network Connection, 6, 0, 14
A: 17.2.1.0, Broadcom NetXtreme Gigabit Ethernet, 6, 0, 0
A: 10.0.14393.0, WAN Miniport (SSTP), 131, 12, 0
A: 10.0.14393.0, WAN Miniport (IKEv2), 131, 12, 0
A: 10.0.14393.0, WAN Miniport (L2TP), 131, 12, 0
A: 10.0.14393.0, WAN Miniport (PPTP), 131, 12, 0
A: 10.0.14393.0, WAN Miniport (PPPOE), 23, 12, 0
A: 10.0.14393.0, WAN Miniport (IP), 6, 0, 0
A: 10.0.14393.0, WAN Miniport (IPv6), 6, 0, 0
A: 10.0.14393.0, WAN Miniport (Network Monitor), 6, 0, 0
T: 11.400 ms
I: plural ( registry key value, registry key value, registry key value, registry key value, registry key value )

We’ll use the values to filter later.

Great, thanks for the help. Here is the output:

6.1.7601.17514, WAN Miniport (SSTP), 131, 12, 0
6.1.7601.17514, WAN Miniport (IKEv2), 131, 12, 0
6.1.7601.17514, WAN Miniport (L2TP), 131, 12, 0
6.1.7601.17514, WAN Miniport (PPTP), 131, 12, 0
6.1.7601.17514, WAN Miniport (PPPOE), 23, 12, 0
6.1.7601.17514, WAN Miniport (IPv6), 6, 0, 0
12.15.31.4, Intel® 82579LM Gigabit Network Connection, 6, 0, 14
6.1.7601.17514, WAN Miniport (IP), 6, 0, 0
6.1.7600.16385, Microsoft ISATAP Adapter, 131, 15, 0
15.17.0.1, Intel® Centrino® Advanced-N 6205, 71, 16, 9
6.1.7601.23863, Bluetooth Device (Personal Area Network), 6, 0, 10
6.1.7600.16385, Microsoft ISATAP Adapter, 131, 15, 0
6.1.7600.16385, Microsoft ISATAP Adapter, 131, 15, 0
6.1.7600.16385, Microsoft ISATAP Adapter, 131, 15, 0
6.1.7600.16385, Microsoft ISATAP Adapter, 131, 15, 0
6.1.7600.16385, Microsoft Virtual WiFi Miniport Adapter, 71, 16, 9
6.1.7600.16385, Microsoft Virtual WiFi Miniport Adapter, 71, 16, 9

Evaluation time: 1.583 ms

if someone can assist me getting the following info from this relevance, that would be great.

“DriverDesc”, "DriverVersion"
Intel® Centrino® Advanced-N 6205,15.17.0.1

thanks again