I am working on C# code that accesses the Windows registry for USB related information, mainly USBSTOR. If we try to access properties under each USBSTOR entry, it is restricted (even to Administrators).

I am using the Microsoft.Win32.Registry class for querying required info, which gives us an option to "Take Ownership" of registry keys when opening.

Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SYSTEM\ControlSet001\Enum\USBSTOR\CdRom&Ven_TS8XDVDR&Prod_Transcend&Rev_TW00\112233445568&0\Properties", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);

This works fine for most of the cases, but Microsoft.Win32 does not provide facility to read information like lastwritetime etc.

Quick Search and ChatGPT revealed that we can use low-level Windows API to take ownership and then read required information but it assumes that we can open registry key using

(int)RegOpenKeyEx(hKey, subKey, 0, KEY_ALL_ACCESS, ref hKeyResult);

In my case opening subject key throws an error

Code: 5 (0x5) (ERROR_ACCESS_DENIED)

What is the best way to work around these restriction and query required data?

I am working on C# code that accesses the Windows registry for USB related information, mainly USBSTOR. If we try to access properties under each USBSTOR entry, it is restricted (even to Administrators).

I am using the Microsoft.Win32.Registry class for querying required info, which gives us an option to "Take Ownership" of registry keys when opening.

Microsoft.Win32.Registry.LocalMachine.OpenSubKey("SYSTEM\ControlSet001\Enum\USBSTOR\CdRom&Ven_TS8XDVDR&Prod_Transcend&Rev_TW00\112233445568&0\Properties", RegistryKeyPermissionCheck.ReadWriteSubTree, RegistryRights.TakeOwnership);

This works fine for most of the cases, but Microsoft.Win32 does not provide facility to read information like lastwritetime etc.

Quick Search and ChatGPT revealed that we can use low-level Windows API to take ownership and then read required information but it assumes that we can open registry key using

(int)RegOpenKeyEx(hKey, subKey, 0, KEY_ALL_ACCESS, ref hKeyResult);

In my case opening subject key throws an error

Code: 5 (0x5) (ERROR_ACCESS_DENIED)

What is the best way to work around these restriction and query required data?

• c#
• winapi
• registry

• 2 If you can't even view the data as an admin, then you likely shouldn't be messing with it at all. What exactly are you trying to extract from it? Have you tried opening the key for read-only access instead of read/write? – Remy Lebeau Commented Nov 21, 2024 at 7:03
• @RemyLebeau I am trying to extract time information like first and last connection date/time. Yes, I have tried lot of different options without success. I came across a tool named USBDeView which reads this information even with limited user account – Junaid Arshad Commented Nov 21, 2024 at 16:53
• 1 Are you sure USBDeView is reading it from the registry? Have you tried using SysInternals Process Monitor to see what registry keys are being accessed and with what permissions? – Remy Lebeau Commented Nov 21, 2024 at 19:26

1 Answer 1

In my tool "USB Drive Info" you can right-click the USB device -> RegEdit...

The first sub-item is HKLM\SYSTEM\CurrentControlSet\Enum<DeviceInstanceID> which leads above the "Device Parameters". Since UsbDriveInfo uses the dirty trick of stealing a Windows service's access token to start RegEdit.exe with, "Device Parameters" can be accessed. Does not look that interesting :-)

Since Windows Vista arrival and removal time can be determined by means of CM_Get_DevNode_Property with DEVPKEY_Device_LastArrivalDate and DEVPKEY_Device_LastRemovalDate. In C++:

// assuming DeviceInstanceID is in szDeviceInstanceId

DEVINST DevInst = 0;

if ( CR_SUCCESS == CM_Locate_DevNode(&DevInst, szDeviceInstanceId, 0) ) {
    // DevInst determined
    FILETIME FT;
    DEVPROPTYPE PropType;
    ULONG PropSize = sizeof(FT);
    if ( CR_SUCCESS == CM_Get_DevNode_Property(DevInst, &DEVPKEY_Device_LastRemovalDate,
                                               &PropType, (PBYTE)&FT, &PropSize, 0);
      // time in FT
    }
}