Sign in / up

Reply to post: What a BusKill... for Windows

Rowhammer rides again as FPGA attack, RSA again reportedly up for sale, anti-theft kit to nuke laptops, etc

gypsythief

What a BusKill... for Windows

I was curious if that Buskill would work on Windows, and it turns out, it does!

1) Open Event Viewer, and drill down to "Application and Service Logs - Microsoft - Windows - DriverFrameworks-UserMode"

2) We need the "Operational" log which is disabled; to enable, right click -> Properties, tick "Enable Logging", OK

3) Find a spare memory stick of a make/model that you don't otherwise use. Plug it in, wait a few seconds and unplug.

4) Refresh the view, then open the latest entry with EventID 2102

5) Switch to the "Details" tab, then "XML View". You will need the the data from the "InstanceID" field

6) Paste the following XML into your editor of choice (you can remove the extra white lines; the forum inserts those automatically on line-breaks):

***Begin XML***

<QueryList>

<Query Id="0" Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">

<Select Path="Microsoft-Windows-DriverFrameworks-UserMode/Operational">*[System[(EventID=2102)]]

and

*[UserData/UMDFHostDeviceRequest/InstanceId="Your Instance ID"]

and

*[UserData/UMDFHostDeviceRequest/RequestMinorCode="23"]

</Select>

</Query>

</QueryList>

***End XML***

Replace "Your Instance ID" with your InstanceID data from the event log, then replace all special characters with their ASCII hex codes. For example, my InstanceID of:

SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_KINGSTON&PROD_DATATRAVELER_2.0&REV_PMAP#50E549C695A4BF10698DA240&0#{53F56307-B6BF-11D0-94F2-00A0C91EFB8B}

Became:

"SWD\WPDBUSENUM\&#x5F;&#x3F;&#x3F;&#x5F;USBSTOR&#x23;DISK&#x26;VEN&#x5F;KINGSTON&#x26;PROD&#x5F;DATATRAVELER&#x5F;2&#x2E;0&#x26;REV&#x5F;PMAP&#x23;50E549C695A4BF10698DA240&#x26;0&#x23;&#x7B;53F56307-B6BF-11D0-94F2-00A0C91EFB8B&#x7D;"

7) Copy your completed XML. Open Task Scheduler, create a new task. Create a new "Trigger" and from the "Begin the Task" drop-down, select "On an event", Select "Custom" and click the new event filter button. Switch to the XML tab and tick the "Edit query manually box". Paste in your XML from above.

8) OK back out a couple of times, and finish setting up your task. I set my Action to lock my computer: Action: start a program; program: "rundll32.exe"; Add arguments: "user32.dll, LockWorkStation"

9) Tweak final settings, mainly allowing the task to run if not on AC power, and you're done :)

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon