ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

DeviceID.exe tool provides invalid regex and device id for USB and external drives

book

Article ID: 236762

calendar_today

Updated On:

Products

Data Loss Prevention Enterprise Suite Data Loss Prevention

Issue/Introduction

When using a policy that either whitelists or restricts certain devices, using the regex value stored in "endpoint devices", the policy doesn't seem to work. 

Environment

Release: 15.8

Resolution

Certain kinds of USB devices have multiple entries identified by the Operating system.  The "DeviceID.exe" tool, if not run with appropriate permissions, will often report only one of these device IDs for each device.  Sometimes, it will report the incorrect of the two device IDs in the PowerShell or CMD output. 

 

The output might reflect

Dev ID: SWD\WPDBUSENUM\_??_USBSTOR#DISK&VEN_&PROD_USB_DISK_3.0&REV_PMAP#1234567890987654&0#{123A456789-B1CD-23E4-4E32-DC1B-987654321}

Regex: SWD\WPDBUSENUM\\_\?\?_USBSTOR#DISK&VEN_&PROD_USB_DISK_3\.0&REV_PMAP#1234567890987654&0#\{123A456789\-B1CD\-23E4\-4E32\-DC1B\-987654321\}

When in reality the USB Device in question should reflect as follows (Highlighting added for emphasis on the discrepancies)

Dev ID:    USBSTOR\DISK&VEN_&PROD_USB_DISK_3.0&REV_PMAP\1234567890987654&0     

Regex:     USBSTOR\\DISK&VEN_&PROD_USB_DISK_3.0&REV_PMAP\\1234567890987654&0   

 

As an alternative to the Broadcom provided DeviceID.exe tool, you can pull the correct device ID with the below command run in PowerShell.  You will need to convert it to regex for use in policies

get-pnpdevice -class wpd,diskdrive -status ok | Format-Table -Wrap -Autosize