C # System application to obtain USB usage records via the registry (i)

This article is a series of system applications for the "PC History removal Software" project.
The previous features of how to clear the history of Internet Explorer, get Windows recent access to file records, clear the Recycle Bin, and so on. What I need to do now is to delete the USB flash drive, mobile phone, mobile hard drive and other records. I really feel that there is very little information in this regard. This article first mainly describes the use of the registry to obtain USB usage records, we hope to help.

I. Basic knowledge of the registry

The Registry (registry) is an important database in Windows systems that stores information about applications, users, and systems. The registry is structured like a tree. The top node of the tree (hive) cannot be added, modified, or deleted. As shown in the top-level node of the Windows registry:

(1). HKEY_CURRENT_USER: Contains user configuration information that is currently logged on to Windows
(2). HKEY_USERS: Contains configuration information for all users of the computer
(3). HKEY_LOCAL_MACHINE: Contains configuration information related to the computer, regardless of whether the user is logged on
(4). HKEY_CLASSES_ROOT: Contains information that associates file types with programs and COM component configuration data
(5). Hkey_current_config: Contains the hardware profile used by the local computer when it starts.
See Baidu Encyclopedia

Two. Simple use of the registry in C #

in front " C # System application of IE browser record and address bar input URL "In this article I have simply used the information to get the address bar through the registry and display it." Here's a way to get to the content method used by the registry. The main code is as follows:

?

12345678910111213

//定义注册表顶级节点 其命名空间是using Microsoft.Win32;  RegistryKey historykey;;  //检索当前用户CurrentUser子项Software\\Microsoft\\Internet Explorer\\typedURLshistorykey = Registry.CurrentUser.OpenSubKey("Software\\Microsoft\\Internet Explorer\\typedURLs", true);  if (historykey != null)  {          //获取检索的所有值          String[] names = historykey.GetValueNames();          foreach (String str in names)          {          listBox1.Items.Add(historykey.GetValue(str).ToString());          }  }

among them, RegistryKey class (MSDN) represents the top-level node in the registry, which is a registry encapsulation. Registry Class (MSDN) provides an RegistryKey object that represents the root entry in the Windows registry and provides access to the item/value. The common values are as follows for the registry top node content.

The above code gets the Internet Explorer address bar the nearest input URL corresponding to the registry tree path is:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
Retrieves the specified subkey through the OpenSubKey function in Registry.currentuser (HKEY_CURRENT_USER) and specifies whether write access is applied to the item. Finally through the GetValueNames () Gets all the values retrieved. Function prototypes:

?

1234	publicRegistryKey OpenSubKey(    string name,     //要打开的子项名称或路径    bool writable    //如果需要项的写访问权限=true)

Three. How the registry stores USB information

Here, we look at a number of materials and mainly cite the research and implementation of computer information acquisition system, part of the thesis:
Http://cdmd.cnki.com.cn/Article/CDMD-10431-2010236667.htm
In Windows systems, when a USB Removable storage device is plugged in, it leaves traces in the registry. Plug and Play manager when a mobile device is plugged into a computer PnP (Plug and Play) accepts the event and queries the USB device's firmware (firewre information) for a description of the device (manufacturer, model, serial number, etc.). When the device is recognized, create a new key value in the registry:
Hkey_local_machine\system\currentcontrolset\enum\usbstor
Under this key value, you will see a struct sub-key similar to the following: (this subkey represents a device class identifier that identifies a specific class of device)
disk&ven_###&prod_###&rev_###
Where the sub-key "# #" represents the region is filled in by the PnP manager based on data obtained in the USB device descriptor. As shown

disk&ven_aigo&prod_miniking&rev_8.07 is the device class ID
Q0ukch37&0 is a unique instance ID (UID)
If you use the Uvcview tool, you can see the USB device description, where the information corresponds to each other. Once the device class ID is established, a unique UID is required. It can differentiate multiple storage devices that have the same device class identity.

Four. program implementation to obtain USB usage information

The specific code is as follows, and I want you to download wnt08 code, which is helpful http://download.csdn.net/detail/lwnt08/3083499

?

123456789101112131415161718192021222324252627282930313233

//获取USB使用信息private void button1_Click(object sender, EventArgs e){//定义注册表顶级节点 其命名空间是using Microsoft.Win32;RegistryKey USBKey;//检索子项    USBKey = Registry.LocalMachine.OpenSubKey(@"SYSTEM\CurrentControlSet\Enum\USBSTOR", false);//检索所有子项USBSTOR下的字符串数组foreach (string sub1 in USBKey.GetSubKeyNames()){    RegistryKey sub1key = USBKey.OpenSubKey(sub1, false);    foreach (string sub2 in sub1key.GetSubKeyNames())    {        try        {            //打开sub1key的子项            RegistryKey sub2key = sub1key.OpenSubKey(sub2, false);            //检索Service=disk(磁盘)值的子项 cdrom(光盘)            if (sub2key.GetValue("Service", "").Equals("disk"))            {                String Path = "USBSTOR" + "\\" + sub1 + "\\" + sub2;                String Name = (string)sub2key.GetValue("FriendlyName", "");                richTextBox1.AppendText("USB名称  " + Name + "\r\n");                richTextBox1.AppendText("UID标记  " + sub2 + "\r\n");                richTextBox1.AppendText("路径信息 " + Path + "\r\n\r\n");            }        }        catch (Exception msg) //异常处理        {            MessageBox.Show(msg.Message);        }    }}

The results of the operation are as follows:

The corresponding registry information is as follows:

The corresponding FriendlyName is the output "USB name Aigo miniking USB Device", the UID serial number is "q0ukch37". The Search service (services) is disk (disk) option.

Five. Summary and Outlook

First of all, personal feelings, this information is very few, the article blog is also few, so it seems that the operation is very simple, but the real implementation is still thoughtful. Then there are many key values for storing the USB record.
1.hkey_local_machine\system\currentcontrolset\enum\usb
The key value can be seen in the vendor number (VID_), the manufacturer's product number (PID_), and locationinformation (port number) port_#0001.hub_#0005 and so on.

2.hkey_local_machine\system\currentcontrolset\control\deviceclasses
There are two device classes under this key: {53f56307-b6bf-11d0-94f2-00a0c91efb8b}{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}, which can be accessed via USB last access system time.
The next thing I want to do is how to relate these keys, which seems to pass through dictionary, how to get the time, and how to delete the information correctly. Finally hope that the article will help you, if there are errors or shortcomings, please Haihan! Finally, I would like to thank some of the following reference articles blog and author. This kind of information is really not easy to find, are related to the content and good, some references, some did not, but all good, but also hope that these links can be used.
(By:eastmount 2014-4-8 Night 1:30 original csdn http://blog.csdn.net/eastmount/)
References and similar articles (worth a look):
1. "Research and implementation of computer information Acquisition system" the paper discusses computer forensics and USB principle
Http://cdmd.cnki.com.cn/Article/CDMD-10431-2010236667.htm
2.Tracking usb storage:analysis of Windows artifacts generated by USB storage devices
English article, how to get the time and information of USB usage record
http://www.sciencedirect.com/science/article/pii/S1742287605000320
3. Write a USB storage device in C # Use the Trace detection and removal tool to tell you how to delete the Get sub-section explanation
http://blog.csdn.net/metaphysis/article/details/18504315
4.c# read the registry for USB flash drive usage record
http://download.csdn.net/detail/lwnt08/3083499

C # System application to obtain USB usage records via the registry (i)