Wireless Module Driver Version Relevancy

anon61343177 · November 18, 2021, 9:05pm

Hello,
I am trying to create a relevance for a custom patch.

There are Dell wireless modules in Windows laptops that require patching. Security has flagged any device below a specific driver version. Not all laptops are below this version, some have already been remediated.
We are trying to create a relevancy for identifying those wireless modules that are less than v 20.70.16.4.
We have been trying to use the registry as part of this relevancy. It’s not necessary that we do so, it was just the only place we could find the data we were looking for.

The farthest we’ve gotten is a clause that outputs the current version of the wireless module.
For reference, “HKLM\SYSTEM\CurrentControlSet\Control\Class{4d36e972-e325-11ce-bfc1-08002be10318}” contains all network interfaces (software/hardware) on a Windows system.
The values are self-explanatory.

We need to identify wireless network interfaces with model containing 8260 OR 8265, AND have a driver version less than 20.70.16.4, as a true/false statement. We would then use this to

|(value “DriverVersion” of it of keys whose ((value “AdapterModel” of it as string as lowercase contains “wireless”)) of key “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class{4d36e972-e325-11ce-bfc1-08002be10318}” of registry)||||

Can someone assist with what I’m missing?

Is there an easier way of doing this?

JasonWalker · November 18, 2021, 9:39pm

This is a bit of a fun challenge.
The first thing to note is that each network driver has its own distinct key beneath "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" - beneath that key you’ll have subkeys named \0001, \0002, \0003, etc.

To find those, I’d start by retrieving the path of each subkey:

Q: pathnames of keys of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" of registry
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0000
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0002
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0003
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0004
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0005
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0006
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0007
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0008
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0009
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0010
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0011
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0012
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0013
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0014
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0015
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0016
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\Configuration

…and, not every entry beneath that is an actual network card - some are “WAN miniport drivers” for example. My system probably has more keys than most because I’ve done a lot of virtualization and VPN work on this machine.

Barring some edge case, they way I’ve looked for “real” network cards in the past is that the \0001 or \0002 key has a subkey “Ndi\Params” beneath it. So I start looking for network cards by filtering to only those child keys, that have the NDI\Params key beneath it -

Q: pathnames of keys whose (exists keys "Ndi\Params" of it) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" of registry
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0001
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0002
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0003
A: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}\0015

Since you already know you’re looking for specific AdapterModel and DriverVersion values, let’s pull those up for reference. I’m going to stop displaying the “pathname” of the key, and just the name of the key just to make the output a little bit shorter as well:

Q: (name of it, value "AdapterModel" of it, value "DriverVersion" of it) of keys whose (exists keys "Ndi\Params" of it) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" of registry
E: Singular expression refers to nonexistent object.

Ooops, we get an error. What this means is that at least one of my keys do not have an “AdapterModel” or “DriverVersion” value. We can work around that by using the pipe operator "|" to give a default result, if the object we are trying to retrieve does not exist. Because the left and right side of the pipe have to be the same type, I also have to cast the registry values ‘as string’

Q: (name of it, value "AdapterModel" of it as string | "none", value "DriverVersion" of it as string | "none") of keys whose (exists keys "Ndi\Params" of it) of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" of registry
A: 0001, none, 3.0.1.4
A: 0002, Intel(R) Wireless-AC 9560 160MHz, 22.80.1.1
A: 0003, none, 12.18.9.11
A: 0015, none, 5.0.0.26

It turns out on my machine, only one of my interfaces has an AdapterModel value.

For a fixlet relevance, in your case you’d want to filter for keys where all of these conditions are met:

key “Ndi\Params” exists
value “AdapterModel” contains “8260” or “8265”
value “DriverVersion” is less than version “20.70.16.4”

In my testing I substituted in my own network settings and I think this relevance should work for you:

exists keys whose (exists keys "Ndi\Params" of it and (value "AdapterModel" of it as string contains "8260" or value "AdapterModel" of it as string contains "8265") and value "DriverVersion" of it as string as version < "20.70.16.4") of keys "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4d36e972-e325-11ce-bfc1-08002be10318}" of registry

anon61343177 · November 24, 2021, 3:23pm

Thank you so much for this!
It works exactly as needed.