Problem with QueryDosDevices

NTDEV
1

Sorry for the repost but my first subject line didn’t seem to attract
any interest…

I have a situation where I need to restrict software installation to a
USB device manufactured by a specific vendor. To do this, I need to
determine if the device mounted at a given drive letter has a specific
USB vendor ID. My attempts to date have relied mainly on the
QueryDosDevices () API to determine which devices are currently attached
to the system and then doing some rather intricate registry scanning to
connect the dots between installed USB devices, drive letters, and USB
vendor IDs. However, I’m finding that QueryDosDevices () does not
always return all of the information that I need to do this. It appears
that in some situations key information about installed devices is
missing from the QueryDosDevices () results.

So for my questions…

  1. Is there some known problem with QueryDosDevices () that would cause
    unpredictable results from that call and if so is there a fix for it?
  2. Is QueryDosDevices () reliable enough for what I’m trying to do?
  3. Is there some other way to determine if a USB device plugged in at a
    given drive letter is manufactured by a specific vendor, without using a
    driver or requiring administrative rights to make the determination?

I’d appreciate any help with this issue. For more information on my
current method, please see the description below.

Thanks,
Mark A. Green
Sr. Software Engineer
encryptX Corporation

Current method (for 2K/XP all SPs):

  1. Gather USB information…
    a) Scan the registry’s HKLM\System\CurrentControlSet\Enum\USB key for
    all subkeys that contain the desired USB vendor ID.
    b) Under each of these subkeys, enumerate the subkeys which are
    serial numbers of the devices with those vendor IDs.
    c) Under each of the serial number subkeys, look for a ParentIDPrefix
    value and store its data.

  2. Gather USBSTOR information…
    a) Use QueryDosDevices () to get a list of all devices currently
    attached to the system.
    b) Scan those results for all device keys that contain USBSTOR.
    c) Check the USBSTOR keys for ones that contain either the device
    serial number or the ParentIDPrefix for one of the USB devices found in
    the USB information above.
    d) For those USBSTOR keys that match, look in the key for another
    ParentIDPrefix value (different from the one in the USB key) and store
    its data.

  3. Check MountedDevices for drive letters…
    a) Scan the registry’s HKLM\System\MountedDevices key for values with
    names of the form \DosDevices\F: (for example).
    b) For each of these values, read the data and check to see if the
    data contains the ParentIDPrefix from one of the USBSTOR keys in found
    in the previous step.
    c) If the ParentIDPrefix matches, then that drive letter contains a
    currently mounted device that is manufactured by the desired vendor.

NOTE: My current difficulty is that on some system configurations the
QueryDosDevices () call does not return any USBSTOR keys even when USB
devices are attached to the system. Without these keys I need some
other method of determining if there are USB devices currently attached.
I’m unable to scan the USBSTOR section of the registry as that section
contains keys for all devices that have ever been attached and not just
the ones currently attached.

Again thanks for any help you can provide.

2

At a glance sounds like you need to use the SetupAPI and config manager
(CM_) API’s (great fun ;)) instead of the registry.

Unless that’s how you are enumerating the device’s already…
But you made it sound like you’re walking the enum key manually.
Using the APIs gives you more information…

For example, As a starter… When you are walking devices to tell whether
if its there you call CM_Get_Devnode_Status() and check if result isn’t
CR_NO_SUCH_DEVINST. (if its not “not there” its there :D)

BR,

Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Green
Sent: 22 November 2004 16:44
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem with QueryDosDevices

Sorry for the repost but my first subject line didn’t seem to attract
any interest…

I have a situation where I need to restrict software installation to a
USB device manufactured by a specific vendor. To do this, I need to
determine if the device mounted at a given drive letter has a specific
USB vendor ID. My attempts to date have relied mainly on the
QueryDosDevices () API to determine which devices are currently attached
to the system and then doing some rather intricate registry scanning to
connect the dots between installed USB devices, drive letters, and USB
vendor IDs. However, I’m finding that QueryDosDevices () does not
always return all of the information that I need to do this. It appears
that in some situations key information about installed devices is
missing from the QueryDosDevices () results.

So for my questions…

  1. Is there some known problem with QueryDosDevices () that would cause
    unpredictable results from that call and if so is there a fix for it?
  2. Is QueryDosDevices () reliable enough for what I’m trying to do?
  3. Is there some other way to determine if a USB device plugged in at a
    given drive letter is manufactured by a specific vendor, without using a
    driver or requiring administrative rights to make the determination?

I’d appreciate any help with this issue. For more information on my
current method, please see the description below.

Thanks,
Mark A. Green
Sr. Software Engineer
encryptX Corporation

Current method (for 2K/XP all SPs):

  1. Gather USB information…
    a) Scan the registry’s HKLM\System\CurrentControlSet\Enum\USB key for
    all subkeys that contain the desired USB vendor ID.
    b) Under each of these subkeys, enumerate the subkeys which are
    serial numbers of the devices with those vendor IDs.
    c) Under each of the serial number subkeys, look for a ParentIDPrefix
    value and store its data.

  2. Gather USBSTOR information…
    a) Use QueryDosDevices () to get a list of all devices currently
    attached to the system.
    b) Scan those results for all device keys that contain USBSTOR.
    c) Check the USBSTOR keys for ones that contain either the device
    serial number or the ParentIDPrefix for one of the USB devices found in
    the USB information above.
    d) For those USBSTOR keys that match, look in the key for another
    ParentIDPrefix value (different from the one in the USB key) and store
    its data.

  3. Check MountedDevices for drive letters…
    a) Scan the registry’s HKLM\System\MountedDevices key for values with
    names of the form \DosDevices\F: (for example).
    b) For each of these values, read the data and check to see if the
    data contains the ParentIDPrefix from one of the USBSTOR keys in found
    in the previous step.
    c) If the ParentIDPrefix matches, then that drive letter contains a
    currently mounted device that is manufactured by the desired vendor.

NOTE: My current difficulty is that on some system configurations the
QueryDosDevices () call does not return any USBSTOR keys even when USB
devices are attached to the system. Without these keys I need some
other method of determining if there are USB devices currently attached.
I’m unable to scan the USBSTOR section of the registry as that section
contains keys for all devices that have ever been attached and not just
the ones currently attached.

Again thanks for any help you can provide.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

3

The proper way to “subvert” administrator rights in this situation is to
have a service. The application talks to the service and the service talks
to the device driver. This way, the service can have local administrative
rights without giving those rights to the current user.

Jamey

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Green
Sent: Monday, November 22, 2004 8:44 AM
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem with QueryDosDevices

Sorry for the repost but my first subject line didn’t seem to attract
any interest…

I have a situation where I need to restrict software installation to a
USB device manufactured by a specific vendor. To do this, I need to
determine if the device mounted at a given drive letter has a specific
USB vendor ID. My attempts to date have relied mainly on the
QueryDosDevices () API to determine which devices are currently attached
to the system and then doing some rather intricate registry scanning to
connect the dots between installed USB devices, drive letters, and USB
vendor IDs. However, I’m finding that QueryDosDevices () does not
always return all of the information that I need to do this. It appears
that in some situations key information about installed devices is
missing from the QueryDosDevices () results.

So for my questions…

  1. Is there some known problem with QueryDosDevices () that would cause
    unpredictable results from that call and if so is there a fix for it?
  2. Is QueryDosDevices () reliable enough for what I’m trying to do?
  3. Is there some other way to determine if a USB device plugged in at a
    given drive letter is manufactured by a specific vendor, without using a
    driver or requiring administrative rights to make the determination?

I’d appreciate any help with this issue. For more information on my
current method, please see the description below.

Thanks,
Mark A. Green
Sr. Software Engineer
encryptX Corporation

Current method (for 2K/XP all SPs):

  1. Gather USB information…
    a) Scan the registry’s HKLM\System\CurrentControlSet\Enum\USB key for
    all subkeys that contain the desired USB vendor ID.
    b) Under each of these subkeys, enumerate the subkeys which are
    serial numbers of the devices with those vendor IDs.
    c) Under each of the serial number subkeys, look for a ParentIDPrefix
    value and store its data.

  2. Gather USBSTOR information…
    a) Use QueryDosDevices () to get a list of all devices currently
    attached to the system.
    b) Scan those results for all device keys that contain USBSTOR.
    c) Check the USBSTOR keys for ones that contain either the device
    serial number or the ParentIDPrefix for one of the USB devices found in
    the USB information above.
    d) For those USBSTOR keys that match, look in the key for another
    ParentIDPrefix value (different from the one in the USB key) and store
    its data.

  3. Check MountedDevices for drive letters…
    a) Scan the registry’s HKLM\System\MountedDevices key for values with
    names of the form \DosDevices\F: (for example).
    b) For each of these values, read the data and check to see if the
    data contains the ParentIDPrefix from one of the USBSTOR keys in found
    in the previous step.
    c) If the ParentIDPrefix matches, then that drive letter contains a
    currently mounted device that is manufactured by the desired vendor.

NOTE: My current difficulty is that on some system configurations the
QueryDosDevices () call does not return any USBSTOR keys even when USB
devices are attached to the system. Without these keys I need some
other method of determining if there are USB devices currently attached.
I’m unable to scan the USBSTOR section of the registry as that section
contains keys for all devices that have ever been attached and not just
the ones currently attached.

Again thanks for any help you can provide.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

4

Thanks for the input Rob and Jamey,

The SetupDi/CM API gets me what I want and works for both admin and
non-admin users.

I still have one question though. With the SetupDi API, I can get a
symbolic device name for the USB device attached to the system. How do I
convert that symbolic name to its currently mapped drive letter?

Thanks again,
Mark A. Green
Sr. Software Engineer
encryptX Corporation

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Rob Linegar
Sent: Monday, November 22, 2004 10:14 AM
To: Windows System Software Devs Interest List
Subject: RE: [ntdev] Problem with QueryDosDevices

At a glance sounds like you need to use the SetupAPI and config manager
(CM_) API’s (great fun ;)) instead of the registry.

Unless that’s how you are enumerating the device’s already…
But you made it sound like you’re walking the enum key manually.
Using the APIs gives you more information…

For example, As a starter… When you are walking devices to tell whether
if its there you call CM_Get_Devnode_Status() and check if result isn’t
CR_NO_SUCH_DEVINST. (if its not “not there” its there :D)

BR,

Rob Linegar
Software Engineer
Data Encryption Systems Limited
www.des.co.uk | www.deslock.com

-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com] On Behalf Of Mark Green
Sent: 22 November 2004 16:44
To: Windows System Software Devs Interest List
Subject: [ntdev] Problem with QueryDosDevices

Sorry for the repost but my first subject line didn’t seem to attract
any interest…

I have a situation where I need to restrict software installation to a
USB device manufactured by a specific vendor. To do this, I need to
determine if the device mounted at a given drive letter has a specific
USB vendor ID. My attempts to date have relied mainly on the
QueryDosDevices () API to determine which devices are currently attached
to the system and then doing some rather intricate registry scanning to
connect the dots between installed USB devices, drive letters, and USB
vendor IDs. However, I’m finding that QueryDosDevices () does not
always return all of the information that I need to do this. It appears
that in some situations key information about installed devices is
missing from the QueryDosDevices () results.

So for my questions…

  1. Is there some known problem with QueryDosDevices () that would cause
    unpredictable results from that call and if so is there a fix for it?
  2. Is QueryDosDevices () reliable enough for what I’m trying to do?
  3. Is there some other way to determine if a USB device plugged in at a
    given drive letter is manufactured by a specific vendor, without using a
    driver or requiring administrative rights to make the determination?

I’d appreciate any help with this issue. For more information on my
current method, please see the description below.

Thanks,
Mark A. Green
Sr. Software Engineer
encryptX Corporation

Current method (for 2K/XP all SPs):

  1. Gather USB information…
    a) Scan the registry’s HKLM\System\CurrentControlSet\Enum\USB key for
    all subkeys that contain the desired USB vendor ID.
    b) Under each of these subkeys, enumerate the subkeys which are
    serial numbers of the devices with those vendor IDs.
    c) Under each of the serial number subkeys, look for a ParentIDPrefix
    value and store its data.

  2. Gather USBSTOR information…
    a) Use QueryDosDevices () to get a list of all devices currently
    attached to the system.
    b) Scan those results for all device keys that contain USBSTOR.
    c) Check the USBSTOR keys for ones that contain either the device
    serial number or the ParentIDPrefix for one of the USB devices found in
    the USB information above.
    d) For those USBSTOR keys that match, look in the key for another
    ParentIDPrefix value (different from the one in the USB key) and store
    its data.

  3. Check MountedDevices for drive letters…
    a) Scan the registry’s HKLM\System\MountedDevices key for values with
    names of the form \DosDevices\F: (for example).
    b) For each of these values, read the data and check to see if the
    data contains the ParentIDPrefix from one of the USBSTOR keys in found
    in the previous step.
    c) If the ParentIDPrefix matches, then that drive letter contains a
    currently mounted device that is manufactured by the desired vendor.

NOTE: My current difficulty is that on some system configurations the
QueryDosDevices () call does not return any USBSTOR keys even when USB
devices are attached to the system. Without these keys I need some
other method of determining if there are USB devices currently attached.
I’m unable to scan the USBSTOR section of the registry as that section
contains keys for all devices that have ever been attached and not just
the ones currently attached.

Again thanks for any help you can provide.

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument:
‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com

Questions? First check the Kernel Driver FAQ at
http://www.osronline.com/article.cfm?id=256

You are currently subscribed to ntdev as: unknown lmsubst tag argument: ‘’
To unsubscribe send a blank email to xxxxx@lists.osr.com