Windows Uniqueness

Owned by Glen Epperson (Unlicensed)
Last updated: Nov 03, 2017 by Conor McCann
2 min read

Problem

Determining Windows Devices Uniqueness

Because of the wide variety of windows installs the uniqueness for windows is quite complex. It is not possible to retrieve exactly the same information from a device via both WMI and Remote Registry; as such the uniqueness values are different. Both methods require the Windows ProductID (PID) to be retrieved along with the Hostname of the device. To reduce the factorial issue the uniqueness string was also reduced to just one other component. This value is different depending on whether the device is virtualized and by which platform it is virtualized on. In the event of a communication issue with the device the scan is stopped as we can no longer ensure the integrity of the uniqueness.

Solution

WMI

In WMI the PID is retrieved from the Win32_OperatingSystem class in the root\cimv2 namespace.

SELECT SerialNumber FROM Win32_OperatingSystem

The second part of the uniqueness string is the UUID of the device. This retrieved from the Win32_ComputerSystemProduct class in the root\cimv2 namespace; this value can be overwritten in the scenario where the device is recognised as virtualized (see below).

SELECT Vendor, UUID, IdentifyingNumber FROM Win32_ComputerSystemProduct

Virtualization

If the device has been identified as a virtual device the UUID component can be replaced by a platform specific component. The virtualization platform is identified either by the Vendor value from the Win32_ComputerSystemProduct query or the existence of the following registry keys.

Virtual Server 

[SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters] PhysicalHostname

HyperV Server 

[SOFTWARE\Microsoft\Virtual Machine\Auto] ProductType

The UUID component of a device is replace with the following values:

Virtual Server
For Virtual Server the UUID component is kept.
HyperV Server
For HyperV Server the UUID component is kept.
VMWare
For VMWare the UUID component is updated to the Identifying Number value retrieved by the Win32_ComputerSystemProduct query.

These values are used as they are maintained and updated by the virtualization platform for each device so should be unique for clones. If there is a collision the device creation logic will create a duplicate row based on the hostname.


 

Remote Registry

Remote registry is reserved for devices without WMI installed, such as Windows NT. The PID is retrieved from the registry in the following locations.

[SOFTWARE\Microsoft\Windows NT\CurrentVersion] ProductID 
or 
[SOFTWARE\Microsoft\Windows\CurrentVersion] ProductID


It is not possible to retrieve the UUID for a device via the registry, so for this type of scan it is left blank. If the device OS is Windows NT the UUID is allowed to be blank, otherwise an exception is thrown.

Virtualization

To identify a virtualized device via the registry we look at the same keys as above. We also check the BIOS manufacturer in an attempt to identify the virtualization platform.

Virtual Server
[SOFTWARE\Microsoft\Virtual Machine\Guest\Parameters] PhysicalHostname
HyperV Server
[SOFTWARE\Microsoft\Virtual Machine\Auto] ProductType
BIOS Vendor
[HARDWARE\DESCRIPTION\System\BIOS] SystemManufacturer

Filter by label

There are no items with the selected labels at this time.