A Logo

Feel free to include my content in your page via my
RSS feed

Help Irongeek.com pay for
bandwidth and research equipment:

Search Irongeek.com:

Affiliates:
Irongeek Button
Social-engineer-training Button

Help Irongeek.com pay for bandwidth and research equipment:

paypalpixle




Locking down Windows Vista and Windows 7 against Malicious USB devices

 

 

Locking down Windows Vista and Windows 7 against Malicious USB devices

Intro

            A fair amount has been written already about locking down a Microsoft Windows box to protect it against undesired USB flash drive usage. If system owners want to keep data from leaving their network via removable storage there's a simple registry entry the can be tweaked:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\StorageDevicePolicies\WriteProtect

Or a simple tool I wrote awhile back can be used to manipulate this registry key:

http://www.irongeek.com/i.php?page=security/thumbscrew-software-usb-write-blocker

It should be noted that my tool above was meant more for forensics use (though I make no guarantee that it is forensically sound). A security professional may be worried about more than just data leaking out of their systems on removable storage, they may also worry about U3 thumb drives with undesired Autorun payloads. In the case of Autorun/Autoplay concerns, the following Microsoft article has a great amount of detail on disabling Autorun on selected device types:

http://support.microsoft.com/kb/967715

What the article you are reading will concentrate on is stopping other classes of possibly malicious USB devices, especially the PHUKD (Programmable HID USB Keyboard/Mouse Dongle) from my upcoming Defcon presentation:

http://www.irongeek.com/i.php?page=security/programmable-hid-usb-keystroke-dongle

One of the advantages of the PHUKD is that human interface devices (HIDs) like mice and keyboards don't require administrative privileges to install and function, at least by default. Another advantage the PHUKD has is that many organizations are beginning to lock down Autorun on their systems to prevent malware like Conficker from spreading via that particular vector, and to keep tools like the Hak5 U3 Hacksaw from functioning. However, since a PHUKD is a USB HID, turning off Autorun has no effect on it. There are however other Windows 7/Vista setting that can be tweaked to disable arbitrary USB devices.

While I did most of my testing of the following Windows Vista/7 security options using a PHUKD device, they should also prove useful in blocking U3 thumb drives, WiFi dongles (think inadvertent rogue access points), non-passive keyloggers and other devices that could be attached to a system. Also, these security options can be applied to restrict other types of hardware, not just USB, though USB peripherals are what I will concentrate on in this article.

Shortly I will be covering Windows 7/Vista Group Policy/Registry tweaks that you can apply to block the automatic install of USB devices, but first there is a tool you may want to download to easy your experimentation. Nirsoft's USBDeview was of great use to me during this research.

http://www.nirsoft.net/utils/usb_devices_view.html

USBDeview is quite useful, especially as compared to Device Manager. A few of the more useful features of USBDeview include:

1.    View Vendor ID, Product ID, Device Class, Serial Number and etc. all from one line of output.

2.    Uninstall devices, even if they are not currently connected to the system.

3.    Jump straight to the registry keys related to the USB devices.

4.    Export list of installed USB devices to a text file.

Along with USBDeview it may be useful for you to be able to go straight to the MMC plugins we will be using in this article: Device Manager and Local Group Policy Editor. To jump directly to these MMC plugins: Enter the command "devmgmt.msc" to bring up the Device Manager, or "gpedit.msc" to bring up the Local Group Policy Editor. These commands may be entered via the "Search programs and files" bar, the Run bar or via the command console (cmd.exe/ powershell.exe). Putting shortcuts to them on your Desktop is also an option of course.

Now that we have the needed tools, I'll cover the Device Installation Restriction options available in Windows 7/Vista. For each entry the following information will be given:

1.    The setting's name.

2.    A quote of Microsoft's description of the setting as seen in the Group Policy Editor.

3.    My notes from testing where I will try to clarify the use of the settings and certain "gotchas" you may encounter while using them.

4.    The registry keys and values that are changed when the option is enabled. This should make it easy for administrators to create their own scripts and interfaces for manipulating these security options.

Now let's take a look at some of the GPO options Windows 7/Vista provides for restricting hardware installation. To bring up the list of Device Installation Restriction options, use the command "gpedit.msc" as covered earlier, and navigate to:

Computer Configuration->Administrative Templates->System->Device Installation->Device Installation Restrictions

 

If at any point you have problems getting hardware to work because of changing these setting, set all of these GPO options to "Not Configured" then go into Device Manager and do an "Action->Scan for Hardware Changes" from the menu bar.

 

 

Jump to a section:

Intro

Device Installation Restriction policies:

Allow administrators to override Device Installation Restriction policies
Allow installation of devices using drivers that match these device setup classes
Prevent installation of devices using drivers that match these device setup classes
Display a custom message when installation is prevented by a policy setting
Display a custom message title when device installation is prevented by a policy setting
Allow installation of devices that match any of these device IDs
Prevent installation of devices that match any of these device IDs
Time (in seconds) to force reboot when required for policy changes to take effect
Prevent installation of removable devices
Prevent installation of devices not described by other policy settings

Adrian's recommendation for preventing PHUKD devices from functioning

Links

 

Allow administrators to override Device Installation Restriction policies

 

Microsoft's Description: This policy setting allows you to determine whether members of the Administrators group can install and update the drivers for any device, regardless of other policy settings.

If you enable this policy setting, members of the Administrators group can use the Add Hardware wizard or the Update Driver wizard to install and update the drivers for any device. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, members of the Administrators group are subject to all policy settings that restrict device installation.

Adrian's Notes:

As should be obvious, this setting will have no effect unless you set one of the "Prevent" options listed below. If one of the policy settings prevents a USB device from being installed, and the "Allow administrators to override Device Installation Restriction policies " option is set, an admin can go into device manager to install the device. Doing a simple "Action->Scan for Hardware Changes" will not work however. An administrative user will have to go into Device Manager, find the device that was prevented from automatically installing, then right click it and choose "Update Driver Software..." This should force the installation of the device.

Registry Equivalent:

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions]

Value if enabled:

"AllowAdminInstall"=dword:00000001

 

Allow installation of devices using drivers that match these device setup classes

 

Microsoft's Description: This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.

If you enable this policy setting, Windows is allowed to install or update device drivers whose device setup class GUIDs appear in the list you create, unless another policy setting specifically prevents installation (for example, the "Prevent installation of devices that match these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.

Adrian's Notes:

This option allows you to create a whitelist of devices that may be installed. As noted above, this setting does nothing unless "Prevent installation of devices not described by other policy settings" is set. Also, "Prevent" policies override all of the "Allow" policies except for "Allow administrators to override Device Installation Restriction policies". In other words, if you set the "Prevent installation of devices using drivers that match these device setup classes" policy to deny the installation of the "USB Input Device Class", but also set "Allow installation of devices using drivers that match these device setup classes" to allow the installation of the "USB Input Device Class", then the Prevent policy will take precedence.

While this setting allows you to create a whitelist, it is rather painful to do so as you have to allow all of the associate Device Classes for a given device. For example, I had to enable the following to allow my Teensy based PHUKD device to be installed:

{4d36e96f-e325-11ce-bfc1-08002be10318} (HID-Compliant Mouse)

{4d36e96b-e325-11ce-bfc1-08002be10318} (HID Keyboard Device)

{36fc9e60-c465-11cf-8056-444553540000} (Composite Device)

{745a17a0-74d3-11d0-b6fe-00a0c90f57da} (USB Input Device Class)

Observe this screenshot to see the entry format that has to be used:

To find the needed device setup classes I followed these steps:

1.    I had to let the device be installed on a box. The GUID properties for the device did not seem to be visible unless it was installed.

2.    I then found the device, and all its related devices, in Device Manager.

3.    I brought up the properties of each device, went to the details tab, then copied the value from the "Device class guid" property.

4.    After I collected all of the "Device class guid" properties, I enabled the "Allow installation of devices using drivers that match these device setup classes" setting and added the class ids to the list.

 

As you can tell from the procedures listed above, using the "Allow installation of devices using drivers that match these device setup classes" option is not very admin friendly. For assistance please see the list of device GUIDs provided at the end of this article.

Registry Equivalent:

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions]

Value if enabled:

"AllowDeviceClasses"=dword:00000001

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceClasses]

Values (where xxx is the Device Class):

"**delvals."=" "

"1"="xxx"

Numbering should continue from 1.

 

Prevent installation of devices using drivers that match these device setup classes

 

Microsoft's Description: This policy setting allows you to specify a list of device setup class globally unique identifiers (GUIDs) for device drivers that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing or updating device drivers whose device setup class GUIDs appear in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, Windows can install and update devices as allowed or prevented by other policy settings.

Adrian's Notes:

"Prevent installation of devices using drivers that match these device setup classes " is pretty much the mirror opposite of "Allow installation of devices using drivers that match these device setup classes". Device setup classes are collected the same way. I imagine this setting would be useful if you know a specific class of devices you wish to block, such as USB WiFi adapters for example.

With the "Prevent" policy options, hardware that is already installed is normally ignored and stays functional even after the policy is applied. If you want to make the changes retroactive for previously installed hardware, choose the "Also apply to matching devices that are already installed" check box (or set the registry value DenyDeviceClassesRetroactive to 1). For assistance please see the list of device GUIDs provided at the end of this article.

Registry Equivalent:

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions]

Values if enabled:

"DenyDeviceClasses"=dword:00000001

"DenyDeviceClassesRetroactive"=dword:00000000

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceClasses]

Values:

"**delvals."=" "

"1"="xxx"

Where "xxx" is a GUID. Numbering should continue from 1.

 

Display a custom message when installation is prevented by a policy setting

 

Microsoft's Description: This policy setting allows you to display a custom message to users in the notification balloon when a device installation is attempted and a policy setting prevents the installation.

If you enable this policy setting, Windows displays the text you type in the Detail Text box when a policy setting prevents device installation.

If you disable or do not configure this policy setting, Windows displays a default message when a policy setting prevents device installation.

Adrian's Notes:

This option is fairly self-explanatory. Instead of giving the default message ("Click here for details"), you can choose to give a customized message whenever a device fails to install because of policy settings.

One annoyance I've found is that these warning popups only appear the first time you try to install a given piece of hardware, so they are easy for a user to miss and not realize why their USB device is not working.

 

Registry Equivalent:

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy]

Value (where "message" is the message to ben shown):

"DetailText"="message"

 

Display a custom message title when device installation is prevented by a policy setting

 

Microsoft's Description: This policy setting allows you to display a custom message title in the notification balloon when a device installation is attempted and a policy setting prevents the installation.

If you enable this policy setting, Windows displays the text you type in the Main Text box as the title text of the notification balloon when a policy setting prevents device installation.

If you disable or do not configure this policy setting, Windows displays a default title in the notification balloon when a policy setting prevents device installation.

Adrian's Notes:

Similar to "Display a custom message when installation is prevented by a policy setting", except it lets you set a custom title to replace the default title of "Device installation was prevented by policy".

One annoyance I've found is that these warning popups only appear the first time you try to install a given piece of hardware, so they are easy for a user to miss and not realize why their USB device is not working.

 

Registry Equivalent:

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DeniedPolicy]

Value (Where "title" is the title to show):

"SimpleText"="title"

 

Allow installation of devices that match any of these device IDs

 

Microsoft's Description: This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is allowed to install. Use this policy setting only when the "Prevent installation of devices not described by other policy settings" policy setting is enabled. Other policy settings that prevent device installation take precedence over this one.

If you enable this policy setting, Windows is allowed to install or update any device whose Plug and Play hardware ID or compatible ID appears in the list you create, unless another policy setting specifically prevents that installation (for example, the "Prevent installation of devices that match any of these device IDs" policy setting, the "Prevent installation of devices for these device classes" policy setting, or the "Prevent installation of removable devices" policy setting). If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, and no other policy setting describes the device, the "Prevent installation of devices not described by other policy settings" policy setting determines whether the device can be installed.

Adrian's Notes:

This GPO option allows for another way to whitelist devices. Much like the options that "Allow" or "Prevent" installation of a device based on its device setup class, the "Allow installation of devices that match any of these device IDs" works via a list of Plug and Play hardware IDs or compatible IDs. These IDs can be somewhat easier to collect than device setup classes since the device does not have to be successfully installed first to collect the hardware IDs or compatible IDs.

Hardware IDs are meant to be rather specific to the device. They are used for finding the correct device driver to load to make the hardware functional. For example, I set my Teensy based PHUKD device to have a vendor ID of 1313 and a Product ID of 0123. This means one of its hardware IDs is:

USB\VID_1313&PID_0123

But it is also a composite device, and the parent of other devices that will appear in the Device Manager, for example:

HID\VID_1313&PID_0123&REV_0100&MI_01
HID\VID_1313&PID_0123&MI_01
HID_DEVICE_SYSTEM_MOUSE
HID_DEVICE_UP:0001_U:0002
HID_DEVICE

As such, just whitelisting the hardware ID USB\VID_1313&PID_0123 would not be enough to allow the device to completely install. As a matter of fact, it would be possible to have some of the functions of a composite device work, and have others denied because they do not have their corresponding hardware ID whitelisted. For example, the mouse part might work, but the keyboard part of the Teensy HID might not.

While hardware IDs are meant to be fairly specific to a given piece of hardware, compatible IDs are a fall back for when more specific drivers can't be found that support the listed hardware IDs. Compatible IDs are more general in other words.

To collect compatible or hardware IDs for your whitelist do the following:

1.    Plug in the device.

2.    Find the device, and all its related devices, in Device Manager. If the device is currently prevented from installing because of a GPO setting you may only see one device with an exclamation mark. After we finish with steps 2 through 4 on a composite device, we may have to go through them again for each child device.

3.    Bring up the properties of each device, go to the details tab, and then copy a value from the "Hardware Ids" or "Compatible Ids" property.

4.    After collecting all of the "Hardware Ids" or "Compatible Ids" properties, enable the "Allow installation of devices that match any of these device IDs" setting and add needed IDs to the list.

For the Teensy programmable HID device to work, I had to add the following IDs:

USB\VID_1313&PID_0123
USB\COMPOSITE
HID_DEVICE
USB\Class_03

A few other notes: Remember that "Prevent" overrides "Allow" in general, so if an ID is in both an "Allow" and a "Prevent" policy, the "Prevent" policy will generally take precedence. Also, if "Prevent installation of removable devices" is enabled, and the device is removable, it will be denied installation even if its IDs are in a whitelist. "Allow administrators to override Device Installation Restriction policies" still overrides "Prevent installation of removable devices" however.

Registry Equivalent:

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions]

Value if enabled:

"AllowDeviceIDs"=dword:00000001

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\AllowDeviceIDs]

Values:

"**delvals."=" "

"1"="xxx"

Where "xxx" is a hardware or compatible ID. Numbering should continue from 1.

 

Prevent installation of devices that match any of these device IDs

 

Microsoft's Description: This policy setting allows you to specify a list of Plug and Play hardware IDs and compatible IDs for devices that Windows is prevented from installing. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing a device whose hardware ID or compatible ID appears in the list you create. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of the specified devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, devices can be installed and updated as allowed or prevented by other policy settings.

Adrian's Notes:

You may use the "Prevent installation of devices that match any of these device IDs" to blacklist based on hardware or compatibility IDs. Keep in mind that this sort of blacklisting of hardware IDs can be made very ineffective because of devices that allow the attacker to set any vendor or product ID they wish. For example, I set my Teensy to use 1313 as the vendor ID, and 0123 as the product. This made the base hardware ID:

USB\VID_1313&PID_0123

I could have easily changed these arbitrary values to something else, or made them match some preexisting hardware's vendor and product ID. If a blacklist is to be created it may be better to use the compatibility IDs to block device types in much the same way as the "Prevent installation of devices using drivers that match these device setup classes" uses GUIDs in its block list. If you want to make the changes retroactive for previously installed hardware, choose the "Also apply to matching devices that are already installed" check box (or set the registry value DenyDeviceClassesRetroactive to 1).

Registry Equivalent:

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions]

Values if enabled:

"DenyDeviceIDs"=dword:00000001

"DenyDeviceIDsRetroactive"=dword:00000000

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions\DenyDeviceIDs]

Values:

"**delvals."=" "

"1"="xxx"

Where "xxx" is a hardware or compatible ID. Numbering should continue from 1.

 

Time (in seconds) to force reboot when required for policy changes to take effect

 

Microsoft's Description: Set the amount of time (in seconds) that the system will wait to reboot in order to enforce a change in device installation restriction policies.

If you enable this setting, set the amount of seconds you want the system to wait until a reboot.

If you disable or do not configure this setting, the system will not force a reboot.

NOTE: If no reboot is forced, the device installation restriction right will not take effect until the system is restarted.

Adrian's Notes:

I've not really tested this option. The effects of the setting I've made have always seemed to be instantaneous, and not requiring a reboot.

Registry Equivalent:

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions]

Values if enabled:

"ForceReboot"=dword:00000001

"RebootTime"=dword:00000078

 

Prevent installation of removable devices

 

Microsoft's Description: This policy setting allows you to prevent Windows from installing removable devices. A device is considered removable when the driver for the device to which it is connected indicates that the device is removable. For example, a Universal Serial Bus (USB) device is reported to be removable by the drivers for the USB hub to which the device is connected. This policy setting takes precedence over any other policy setting that allows Windows to install a device.

If you enable this policy setting, Windows is prevented from installing removable devices and existing removable devices cannot have their drivers updated. If you enable this policy setting on a remote desktop server, the policy setting affects redirection of removable devices from a remote desktop client to the remote desktop server.

If you disable or do not configure this policy setting, Windows can install and update device drivers for removable devices as allowed or prevented by other policy settings.

Adrian's Notes:

Since USB devices by their very nature are generally removable this is a pretty straight forward option to set. It seems to pretty much override all other device restriction settings but the "Admin Override" option. If you want to make the change retroactive for previously installed hardware, choose the "Also apply to matching devices that are already installed" check box (or set the registry value DenyDeviceClassesRetroactive to 1).

Registry Equivalent:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions]

Value if enabled:

"DenyRemovableDevices"=dword:00000001

 

Prevent installation of devices not described by other policy settings

 

Microsoft's Description: This policy setting allows you to prevent the installation of devices that are not specifically described by any other policy setting.

If you enable this policy setting, Windows is prevented from installing, or updating the device driver for, any device that is not described by either the "Allow installation of devices that match any of these device IDs" or the "Allow installation of devices for these device classes" policy settings.

If you disable or do not configure this policy setting, Windows is allowed to install, or update the device driver for, any device that is not described by the "Prevent installation of devices that match any of these device IDs," "Prevent installation of devices for these device classes," or "Prevent installation of removable devices" policy settings.

Adrian's Notes:

As noted above, this option will have to be set for any of the "Allow installation of devices *" options to be effective. Otherwise the allow options are pretty much just telling Windows to allow the installation of something this is already allowed anyway.

Registry Equivalent:

Key:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{55803F47-01A6-4A85-89CE-74357A125D17}Machine\Software\Policies\Microsoft\Windows\DeviceInstall\Restrictions]

Value if enabled:

"DenyUnspecified"=dword:00000001

 

Adrian's recommendation for preventing PHUKD devices from functioning

 

My personal recommendation: If you want to make sure USB hardware like the PHUKD are not surreptitiously installed on a system, do the following:

1.    Enable both "Allow administrators to override Device Installation Restriction policies" and "Prevent installation of removable devices".

2.    Set "Display a custom message title when device installation is prevented by a policy setting" and "Display a custom message when installation is prevented by a policy setting" to something meaningful so the user knows why the hardware did not install properly.

3.    Whenever you install a new device on purpose, manually go into device manager, and install the drivers using the "Update Driver Software..." option.

I hope this article has been of assistance.

Useful links:

 

Prevent Installation of Removable Devices
http://technet.microsoft.com/es-es/library/cc753539%28WS.10%29.aspx

List of Class IDs
http://msdn.microsoft.com/en-us/library/ff553426%28VS.85%29.aspx

Battery

{72631e54-78a4-11d0-bcf7-00aa00b7b32a}

Biometric

{53D29EF7-377C-4D14-864B-EB3A85769359}

Bluetooth

{e0cbf06c-cd8b-4647-bb8a-263b43f0f974}

CDROM

{4d36e965-e325-11ce-bfc1-08002be10318}

DiskDrive

{4d36e967-e325-11ce-bfc1-08002be10318}

Display

{4d36e968-e325-11ce-bfc1-08002be10318}

FDC

{4d36e969-e325-11ce-bfc1-08002be10318}

FloppyDisk

{4d36e980-e325-11ce-bfc1-08002be10318}

HDC

{4d36e96a-e325-11ce-bfc1-08002be10318}

HIDClass

{745a17a0-74d3-11d0-b6fe-00a0c90f57da}

Dot4

{48721b56-6795-11d2-b1a8-0080c72e74a2}

Dot4Print

{49ce6ac8-6f86-11d2-b1e5-0080c72e74a2}

61883

{7ebefbc0-3200-11d2-b4c2-00a0C9697d07}

AVC

{c06ff265-ae09-48f0-812c-16753d7cba83}

SBP2

{d48179be-ec20-11d1-b6b8-00c04fa372a7}

1394

{6bdd1fc1-810f-11d0-bec7-08002be2092f}

Image

{6bdd1fc6-810f-11d0-bec7-08002be2092f}

Infrared

{6bdd1fc5-810f-11d0-bec7-08002be2092f}

Keyboard

{4d36e96b-e325-11ce-bfc1-08002be10318}

MediumChanger

{ce5939ae-ebde-11d0-b181-0000f8753ec4}

MTD

{4d36e970-e325-11ce-bfc1-08002be10318}

Modem

{4d36e96d-e325-11ce-bfc1-08002be10318}

Monitor

{4d36e96e-e325-11ce-bfc1-08002be10318}

Mouse

{4d36e96f-e325-11ce-bfc1-08002be10318}

Multifunction

{4d36e971-e325-11ce-bfc1-08002be10318}

Media

{4d36e96c-e325-11ce-bfc1-08002be10318}

MultiportSerial

{50906cb8-ba12-11d1-bf5d-0000f805f530}

Net

{4d36e972-e325-11ce-bfc1-08002be10318}

NetClient

{4d36e973-e325-11ce-bfc1-08002be10318}

NetService

{4d36e974-e325-11ce-bfc1-08002be10318}

NetTrans

{4d36e975-e325-11ce-bfc1-08002be10318}

SecurityAccelerator

{268c95a1-edfe-11d3-95c3-0010dc4050a5}

PCMCIA

{4d36e977-e325-11ce-bfc1-08002be10318}

Ports

{4d36e978-e325-11ce-bfc1-08002be10318}

Printer

{4d36e979-e325-11ce-bfc1-08002be10318}

Processor

{50127dc3-0f36-415e-a6cc-4cb3be910b65}

SCSIAdapter

{4d36e97b-e325-11ce-bfc1-08002be10318}

Sensor

{5175d334-c371-4806-b3ba-71fd53c9258d}

SmartCardReader

{50dd5230-ba8a-11d1-bf5d-0000f805f530}

Volume

{71a27cdd-812a-11d0-bec7-08002be2092f}

System

{4d36e97d-e325-11ce-bfc1-08002be10318}

TapeDrive

{6d807884-7d21-11cf-801c-08002be10318}

USB

{36fc9e60-c465-11cf-8056-444553540000}

Windows CE USB ActiveSync Devices (WCEUSBS)

{25dbce51-6c8f-4a72-8a6d-b54c2b4fc835}

Windows Portable Devices (WPD)

{eec5ad98-8080-425f-922a-dabf3de3f69a}

SideShow

{997b5d8d-c442-4f2e-baf3-9c8e671e9e21}

 

Printable version of this article

15 most recent posts on Irongeek.com:


If you would like to republish one of the articles from this site on your webpage or print journal please contact IronGeek.

Copyright 2016, IronGeek
Louisville / Kentuckiana Information Security Enthusiast