Author Archives: adam

My Book 1140 missing drivers a.k.a Western Digital incompatible Twin brothers

Posted on by

Today I bought a second WD My Book Essentials 3TB as I was running out of space (sample analysis generate lots of data that has to be stored somewhere locally and I can’t afford better solution at the moment).

I really like WD drives, so far they are the most reliable I know so I was happy to purchase a twin brother to my already heavily utilized 3TB. I thought I will just plug it in + start transferring some research data goodness to it immediately. To my surprise, anytime I connected first drive, everything was OK, but once the new drive was attached, I was getting a cryptic messages about ‘My Book 1140’ drivers not found.

Enter ‘My Book 1140’ drivers nightmare 🙁

Googling around shows to a lot of posts of people having issues with this particular model. Some people suggesting that the hard drive is faulty and advising to replace it.

As usual, a typical troubleshooting path didn’t work. No drivers could be found in any way, upgrading Hard Drives firmware didn’t work, removing and reinstalling the USB devices from Device Manager didn’t work, reinstalling full WDC software package (sad piece of bloatware written using .NET) from the web site didn’t help either. Nada. Nothing worked and I was starting to get seriously pissed off.

Enter forensics mode 😉

I started looking at registry settings under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB and discovered that the 2 drives I purchased use slightly different Product IDs. The first one was listed under VID_1058&PID_1130 and the new one under VID_1058&PID_1140.

VID 1058 is a Vendor ID for Western Digital Technologies, Inc. and PID is a Product ID of the drives. Because they are different, the system expects different drivers and apparently for the new one, it failed to install them properly. I dunno why, but this seems to be a really common issue.

Of course, knowing that the drives I bought are almost identical and should work properly as a USB Mass Storage device with the same driver, I decided to help my system a bit 🙂

I exported both entries from 1130 and 1140 and compared them visually; the sequences of exported values are different, but one can easy spot the missing or incorrect settings:

In particular:

  • “Class”=”USB”
  • “ConfigFlags”=dword:00000000 vs. “ConfigFlags”=dword:00000400

and of course, the most important of them all:

  • “Driver”=”{36fc9e60-c465-11cf-8056-444553540000}\\0103”

Enter Mr. Registry Experimentator mode 🙂

Editing Registry under HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\ is prohibited for normal users, so you have to run the Regedit as SYSTEM.

The usual psexec -i -s regedit.exe worked like a charm and I navigated to the HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\USB\VID_1058&PID_1140 key.

Next, I manually copied the missing values from 1130 to 1140 (“Class”=”USB” and “Driver”=”{36fc9e60-c465-11cf-8056-444553540000}\\0103”) and modified the value of “ConfigFlags”=dword:00000400 to “ConfigFlags”=dword:00000000 (this removes annoying ‘driver not found’ popups) and then restarted the system.

Et voila. Problem gone.

Final settings as shown below:

Note: if you have a similar problem, make sure that you UNDERSTAND what you are doing before you even attempt to fix it yourself. Editing Registry is not as risky as everyone makes you believe, but if you screw it up, it is your fault only and don’t blame me if you need to rebuild your system. You have been warned 🙂

HexDive 0.3

Posted on by

New version comes with lots of fixes and updates.

New stuff includes:

  • lots of new malware-specific APIs (I manually walked through thousands of them so over 1600+ APIs commonly used by malware is now being picked up)
  • banking URLs (all stuff from web injects from Zeus/SpyEye etc.)
  • domain names commonly changed via hosts file (anti-* routine to block security software, etc.)
  • minor fixes to existing strings (simple mistakes I spotted)
  • large files are now supported; it has been implemented since the beginning, but I have not tested it yet; if you come across issues, please let me know
  • extra option to avoid showing copyright banner (same as in SysInternals tools /q or -q)
  • better options handling (a’la Linux) so you can now specify -qfa instead of -q -f -a

What’s coming: Currently toying around with porting the code to yasm so elf32 version precompiled for Linux Ubuntu may appear soon 🙂

You can download current version of HexDive here.

If your .exe download is blocked, you can try a zip file.

Note:

If you find HexDive is missing strings, please let me know and I will add them. At some stage I plan to release all of the strings for free, but before I do it I want to ensure they are at least classified to some extent. Yes, I will do the dirty job 🙂 just let me know what is missing. If you have some features you would like to see, please let me know as well. And if you find any bugs, please also let me know.

Thanks for trying and don’t forget to check our other tools!