|
Hi All,
I am attempting to retrieve USB Usage History using VB.NET. I am using VS 2012.
The following block of code lists this entry.
Dim RegKey As RegistryKey = Registry.LocalMachine.OpenSubKey("SYSTEM\CurrentControlSet\Enum\USBSTOR\", False)
Dim str1 As String
For Each subKeyName As String In RegKey.GetSubKeyNames()
Dim tempKey As RegistryKey = RegKey.OpenSubKey(subKeyName)
Debug.Print("USBSTORE KEY: " & subKeyName & RegKey.GetValue(subKeyName, "").ToString())
Debug.Print(" -----------")
For Each NxtSubKeyName As String In tempKey.GetSubKeyNames()
Dim tempKey1 As RegistryKey = tempKey.OpenSubKey(NxtSubKeyName)
Debug.Print("USBSTOR SUBKEY: " & NxtSubKeyName.ToString() & " Value Count: " & tempKey1.ValueCount.ToString())
For Each valueName As String In tempKey1.GetValueNames()
Debug.Print(valueName & ": " & tempKey1.GetValue(valueName).ToString())
Next
Next
Next
My code produces this output:
USBSTORE KEY: Disk&Ven_SanDisk&Prod_Cruzer&Rev_1100
-----------
USBSTOR SUBKEY: SDXX1005181106121551&0 Value Count: 12
DeviceDesc: @disk.inf,%disk_devdesc%;Disk drive
Capabilities: 16
HardwareID: System.String[]
CompatibleIDs: System.String[]
ContainerID: {2471d8a3-e22c-5a5e-8b09-f0bb7616119d}
ConfigFlags: 0
ClassGUID: {4d36e967-e325-11ce-bfc1-08002be10318}
Driver: {4d36e967-e325-11ce-bfc1-08002be10318}\0010
Class: DiskDrive
Mfg: @disk.inf,%genmanufacturer%;(Standard disk drives)
Service: disk
FriendlyName: SanDisk Cruzer USB Device
But when I export this registry entry to a text file, I get the following results:
Obviously we see much more information in the exported data. Why is there so much more info here and how can I get my VB program to access this information?
I am trying to write some code to obtain USB Usage History.
Thanks for any help,
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1100
Class Name: <NO CLASS>
Last Write Time: 1/17/2013 - 2:51 PM
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1100\SDXX1005181106121551&0
Class Name: <NO CLASS>
Last Write Time: 1/17/2013 - 2:51 PM
Value 0
Name: DeviceDesc
Type: REG_SZ
Data: @disk.inf,%disk_devdesc%;Disk drive
Value 1
Name: Capabilities
Type: REG_DWORD
Data: 0x10
Value 2
Name: HardwareID
Type: REG_MULTI_SZ
Data: USBSTOR\DiskSanDisk_Cruzer__________1100
USBSTOR\DiskSanDisk_Cruzer__________
USBSTOR\DiskSanDisk_
USBSTOR\SanDisk_Cruzer__________1
SanDisk_Cruzer__________1
USBSTOR\GenDisk
GenDisk
Value 3
Name: CompatibleIDs
Type: REG_MULTI_SZ
Data: USBSTOR\Disk
USBSTOR\RAW
Value 4
Name: ContainerID
Type: REG_SZ
Data: {2471d8a3-e22c-5a5e-8b09-f0bb7616119d}
Value 5
Name: ConfigFlags
Type: REG_DWORD
Data: 0
Value 6
Name: ClassGUID
Type: REG_SZ
Data: {4d36e967-e325-11ce-bfc1-08002be10318}
Value 7
Name: Driver
Type: REG_SZ
Data: {4d36e967-e325-11ce-bfc1-08002be10318}\0010
Value 8
Name: Class
Type: REG_SZ
Data: DiskDrive
Value 9
Name: Mfg
Type: REG_SZ
Data: @disk.inf,%genmanufacturer%;(Standard disk drives)
Value 10
Name: Service
Type: REG_SZ
Data: disk
Value 11
Name: FriendlyName
Type: REG_SZ
Data: SanDisk Cruzer USB Device
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1100\SDXX1005181106121551&0\Device Parameters
Class Name: <NO CLASS>
Last Write Time: 1/17/2013 - 2:51 PM
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1100\SDXX1005181106121551&0\Device Parameters\MediaChangeNotification
Class Name: <NO CLASS>
Last Write Time: 9/5/2011 - 8:07 PM
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1100\SDXX1005181106121551&0\Device Parameters\Partmgr
Class Name: <NO CLASS>
Last Write Time: 9/5/2011 - 8:07 PM
Value 0
Name: Attributes
Type: REG_DWORD
Data: 0
Value 1
Name: DiskId
Type: REG_SZ
Data: {00af4242-d76c-11e0-8169-0024e8e34876}
Key Name: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USBSTOR\Disk&Ven_SanDisk&Prod_Cruzer&Rev_1100\SDXX1005181106121551&0\LogConf
Class Name: <NO CLASS>
Last Write Time: 1/17/2013 - 2:51 PM
|
|
|
|
|
Looks like you are only reading one level down - your sub-key has further sub-keys.
Suggestion - use recursion to get at all the info.
HTH
Happiness will never come to those who fail to appreciate what they already have. -Anon
|
|
|
|
|
Your code is essentially correct but what you haven't done is to read the type of data stored in each name-value pair so that the correct cast can be applied.
The raw data obtained from GetValue(valueName) is typed as Object and the ToString() conversion gives a correct representation in most cases, the exceptions being when the actual type is an array (REG_BINARY, REG_MULTI_SZ)
The technique is read the type via GetValueKind(valueName) and then apply a cast to the Object returned from GetValue(valueName) . The incomplete method below shows the basics and in your case formatting the values ready for display should be done in the gaps left as "do something appropriate".
Private Sub InterpretValue(rawValue as Object, interpretAsType as RegistryValueKind)
Select Case interpretAsType
Case RegistryValueKind.Binary
Dim byteArray As Byte() = DirectCast(rawValue, Byte())
Exit Select
Case RegistryValueKind.DWord
Dim signedValue32 As Integer = DirectCast(rawValue, Integer)
Exit Select
Case RegistryValueKind.QWord
Dim signedValue64 As Long = DirectCast(rawValue, Long)
Exit Select
Case RegistryValueKind.Unknown, RegistryValueKind.String, RegistryValueKind.ExpandString
Dim stringValue as String = rawValue.ToString()
Exit Select
Case RegistryValueKind.MultiString
Dim stringArray As String() = TryCast(rawValue, String())
Exit Select
End Select
End Sub
|
|
|
|
|
Thanks for the explanations. I understand that I should be considering the data type. I can change my code accordingly. But what about the "Last Write Time" information that is displayed in the exported text data for these keys? How can I access that? My goal is to capture the History of each USB device that was used in the system, with dates and times. I'm assuming that the Last Write Time on the exported text will give me this information, but I don't see how my code, even with the data type considerations, will access that.
Thanks,
|
|
|
|
|