@Oleksandr said:
@brad_H said:
@Dejan_Maksimovic said:
True
Bur it has to have drivers present already. So you still donāt need to
filter unknown classes.Remember the USB stick that has a keyboard device ID? Think around that,
and you have a product.I apologize in advance for rookie questions, as I am still learning, but I have three of them:
Considering that there is a USB class {36fc9e60-c465-11cf-8056-444553540000}, also a USBDevice class {88bae032-5a81-49f0-bc3d-a4ff138216d6}, What is their difference, and also why canāt I just monitor every USB device by registering as an UpperFilter for the USB class? Arenāt all the USB devices no matter what they do (printer, mouse, webcam, etc), at the end a USB device, thus an UpperFilter for USB class should catch them all? If not, why?
Is my understanding correct that when you connect a USB device, the Windows USB bus driver will detect the connection, and create a corresponding PDO for that new device, therefore even if a malicious USB device registers itself as something that its not, for example an Ethernet or keyboard (instead of what it actually is, which is a USB flash drive), then its limited to the functionality of that class right? I mean if it registers only as a keyboard, then it surely cannot act as a flash drive, right?!
Is my understanding correct that when you connect a new USB device, the Windows will search for the corresponding driver file in its driverStore based on the deviceID, therefore a malicious USB device cannot load arbitrary drivers for its functionality, and windows will only load approved drivers from reliable sources, and will not load a driver that is sent to it from the USB device, right?
Sorry it got way too long, would you mind recommending me a Book or a blogpost that delves into these topics? Non of the Windows kernel programming that I found go into these topics in detail so I can understand the ābig pictureā that how all of these are connected to each otherā¦
Hi, Iām also in this issue, any progress on this topic?
Unfortunately no 
But I am very sure (not 100%) that the answer to the third question is true. Windows will only load the approved drivers (WQHL signed) from its driver store when a USB is connected, and if not found, from Microsoft online sources, and loads the driver based on that deviceID, so its not possible to make a malicious USB device that loads a malicious driver. But the experts here can correct me If Iām wrong.