Friday, December 28, 2007

The MAC Daddy

I received a question in my inbox today regarding locating a system's MAC address within an image of a system, and I thought I'd share the response I provided...
"The path to the key that tells you which NICs are/were in use on the system is:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Beneath this key, you will see a set of subkeys, each with different numbers;
on my system, I see "10", "12", and "2". Each of these keys contains values;
Description and ServiceName. The ServiceName value contains the GUID
for the interface.

Using the GUIDs, go to:
HKLM\SYSTEM\ControlSet00x\Services\Tcpip\Parameters
\Interfaces

*Be sure to use the ControlSet marked as "Current".

Beneath this key, you'll see subkeys with names that are GUIDs. You're
interested in the GUIDs you found beneath the previous key. Within each key,
you will find the values associated with that interface.

By default, Windows does not retain the MAC address in the Registry. I'm
aware that there are sites out there that say that it does, but they are incorrect...
at least, with regards to this key. If you *do* find an entry within the "Interfaces"
key above that contains a value such as "NetworkAddress", it is either specific
to the NIC/vendor, or it's being used to spoof the MAC address (this is a known
method).

Also check the following key for subkeys that contain a "NetworkAddress" value:
HKLM\SYSTEM\ControlSet001\Control\Class
\{4D36E972-E325-11CE-BFC1-08002bE10318}

Other places you can look for the MAC address:

*Sometimes* (not in all cases) if you find the following key, you may find a value
named "MAC", as well:
HKLM\SOFTWARE\Microsoft\Windows Genuine Advantage

Another place to look is Windows shortcut (*.lnk) files...Windows File Analyzer
is a GUI tool that parses directories worth of *.lnk files and one of the fields that
may be populated is the MAC address of the system."

I thought others might find this helpful as well...

3 comments:

Anonymous said...

On a related note, I've seen quite a few inquiries on finding an IP address in the registry. In at least most cases (perhaps depending on service type), I believe that the IP address associated with the NIC is present when the system is live, but not thereafter. (A good reason to run a few of your tools on a live system if justified.) You can, however, get information such as DHCP IPs and gateway IPs, and that information could be useful.

H. Carvey said...

Great comment, Jimmy...thanks!

Anonymous said...

The best place I've found MAC Addresses listed for a system has been in the Event Log.
Look for System Event Logs with SOURCE=DHCP and for example, event id=1003(onWinxp). This particular example is when a system attempts (and fails)to renew its address. The event log will record the network card's network(MAC) address in the Description.