Finding Bluetooth link key in Windows 7, to double pair a device on dualboot computer

How can I dig up the Bluetooth link key for a paired device in Windows 7? Is this something that is dependent on the Bluetooth stack I'm using (Toshiba), or is there a generic place to store these in Windows 7?

Note: I'm not talking about the six-digit code usually typed by the user during pairing - that is worthless since it's discarded after pairing process. What I mean is the 128-bit link key that the devices exchange during pairing, and use thereafter to encrypt all their Bluetooth traffic.

Background:

I dualboot Windows 7 / Ubuntu on my laptop, and I would like to have my phone paired to both OS's. Since the dualbooting computer has only one Bluetooth adapter and thus only one Bluetooth address, I cannot do two pairings to the phone, since on the second pairing (Windows) the phone just replaces the previous pairing (Linux) to the same Bluetooth address.

A thread on Ubuntu forums pointed me to what I have to do - pair first on Linux, then on Windows, and then replace the link key on Linux side with the one Windows negotiated.

I can find the Linux side pairing key from /var/lib/Bluetooth/[BD_ADDR]/linkkeys - no problems there.

However, on Windows side I can't find the key. According to the forum post, on Windows side the key should be in SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\[BD_ADDR] but while that registry key does exist, it has no subkeys. (And a similar registry path in ControlSet001 didn't have any subkeys either.)

One thing I've been instructed to do is to capture all events during pairing with Sysinternals Process Monitor. I did this, but I haven't been able to find any useful information from the captured events, not even by exporting the data to a huge XML and grepping that with the BD_ADDRs (with or without colons).

So how could I find the link key for a paired device in Windows 7?

Some reference information: Wikipedia: Bluetooth, Security Now: Bluetooth security

Ilari Kajaste

Posted 2011-01-06T18:57:11.553

Reputation: 3 282

Answers

The registry key you should use is :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys.

On my computer, it refused to let me access this key. I had to change the owner to Administrators before I could see the sub-key.

If you are using the Toshiba Bluetooth stack, its keys are stored somewhere else. One can either find where, or simply return to the Microsoft stack. In the later case, the Bluetooth keys will be stored in the registry as above.

This thread describes the process :

Uninstall Toshiba Bluetooth (Add/Remove programs),
Reboot,
Windows should now detect the "new" Bluetooth device and install its own drivers for it.

Caution: Create a system restore point first, and ensure you have the installation media for the Toshiba driver for going back (just in case). Test well the functionality of the paired phone before crying victory.

harrymc

Posted 2011-01-06T18:57:11.553

Reputation: 306 093

Strangely I cannot change the owner of "keys", although a dialogbox tells me I could. If I try it I get an "access denied" message. Any clues? I tried regedit as normal user and as administrator. – bortran – 2016-03-07T14:17:10.223

@bortran: Strange. Try temporarily turning off UAC, and if still having problems then ask on this forum on a separate post. – harrymc – 2016-03-07T14:26:29.680

@harrymc I found the issue - you have to go through advanced settings, there define the owner first, ignore the message that says you're not allowed to change it, then do as the post described, again ignore the message that tells you, you cannot do it. It still works then, found the solution on a microsoft forum. Weird stuff. – bortran – 2016-03-09T08:42:10.013

I changed the owner to Administrator, which then let me access that key, but unfortunately it contains no sub-keys. – Ilari Kajaste – 2011-01-09T12:00:14.750

Did you do that while paired? – harrymc – 2011-01-09T13:28:19.650

Yes, I have and had the phone (plus two other devices) paired to windows. I wasn't connected to any of them at the time, though - I figure that couldn't matter since the key has to be stored in any case. – Ilari Kajaste – 2011-01-09T18:33:21.230

Very strange. I had connected to 3 BT devices, some quite a long time ago, and had all 3 sub-keys. The difference with you might be that (1) I changed the owner after booting in Safe mode, (2) I have UAC off, (3) I changed the owner to Administrators, not Administrator, (4) I rebooted after the change. I don't know which one did the trick for me. – harrymc – 2011-01-09T18:41:41.433

Ok, I also changed owner to the group "Administrators", and tried rebooting - no difference. I guess one difference could be I'm running Windows 7 starter edition, but I'd imagine that wouldn't affect anything like this. Not sure if UAC can be turned off in Starter. Further, I also tried to do the same to ControlSet002, and there the [...]\Keys also didn't contain any subkeys even though when accessing that from linux with chntpw -e the subkeys (BD_ADDR's, one for each device) are there as I described, but don't contain any values. – Ilari Kajaste – 2011-01-09T20:30:07.617

There's some data in CurrentControlSet\Enum\BTHENUM but I don't know what to make of it. Three subkeys in format of {a1b2c3d4-a1b2-a1b2-a1b2-a1b2c3d4e5f6}_LOCALMFG&0000, each of them containing an identical subkey 7&a1b2c3d4&0&000000000000_00000000 which has some 6 values and subkeys LogConf and Properties. None of these I can identify as the BD_ADDR of a device. The Properties subkey has access denied by default - it contains 5 subkeys (same for each 3 subkey trees) in format of {a1b2c3d4-a1b2-a1b2-a1b2-a1b2c3d4e5f6}, which contain some subkeys that don't seem significant. – Ilari Kajaste – 2011-01-10T08:39:15.173

I haven't found either anything in there that looks like the data I have in BTHPORT (which is why I deleted my suggestion). It is rather weird why you have no data , but I don't think Microsoft rewrote Bluetooth for Win7. A propos: You do use the Microsoft Bluetooth stack? – harrymc – 2011-01-10T08:49:28.320

I'm using Toshiba's bluetooth stack. It could be it stores the keys somewhere else - but if there indeed is a place for them in the registry, it's strange Toshiba would not use that. – Ilari Kajaste – 2011-01-10T09:32:16.943

1I am sure Toshiba wouldn't use Microsoft registry entries. Can you go back to the Microsoft stack? – harrymc – 2011-01-10T11:05:17.023

If you can't go back to the Microsoft stack, try maybe to regedit search for "Toshiba". Maybe you can find something there, or in the Toshiba installation folder. – harrymc – 2011-01-10T12:37:56.337

I'm not sure if it's possible to switch to Microsoft stack. At least my BT device required Toshiba drivers to work - does this mean it would also require Toshiba BT stack? I'm not at all familiar with the driver/stack distinction. – Ilari Kajaste – 2011-01-10T19:01:32.750

This thread says: 1. Uninstall Toshiba Bluetooth (Add/Remove programs), 2. Reboot, 3. Windows should now detect the "new" Bluetooth device and install its own drivers for it. Create a system restore point first, and ensure you have the installation media for the Toshiba driver (in case). If this works, test well only the functionality of the paired phone that you really use.

– harrymc – 2011-01-10T20:14:21.063

Well, Windows didn't find any of its own drivers when I first plugged in the device - I'd rather use Microsoft than third party drivers. But since Windows didn't find them, I had to get the Toshiba drivers. They also happen to be some really annoying trial version (the drivers that came with the device didn't have a Win7 version), so I would be more than happy to get rid of them... – Ilari Kajaste – 2011-01-10T21:36:40.643

Well, I removed the Toshiba bluetooth stack, but the bluetooth adapter still works, now with Microsoft stack. Interesting. I assume the Toshiba stack and Toshiba drivers are independent, but the installer installed both of them without ever asking me if I'm interested in the stack at all (which I really wasn't). Ok, now to see if the pairing works, and if the pairing key can be found from the place where it should be... – Ilari Kajaste – 2011-01-10T21:55:00.940

Yes! The problem was that the Toshiba stack saved its keys into some other location. Key revelation for me was that I can remove the Toshiba stack but still have my bluetooth dongle working. After switching to Microsoft stack, the link key was found in the location SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\[BD_ADDR] and it could be copied into linux side, just as the forum post I linked described. I can now confirm that my phone is now correctly working as double paired to both windows and linux side. – Ilari Kajaste – 2011-01-10T22:29:56.870

@harrymc: If you write this solution (something about switching back to Microsoft stack) as a new answer, I'll gladly accept that to pay the bounty rep! – Ilari Kajaste – 2011-01-10T22:31:41.313

OK, I modified this answer. BTW, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet is same as ControlSet001 for user account #1. Also, Microsoft drivers were probably already installed. Toshiba assuredly doesn't install Microsoft software. – harrymc – 2011-01-11T06:45:19.403

So the drivers are the same as the "bluetooth stack"? I wonder why Windows didn't find the drivers for the bluetooth adapter on the first time then. Oh well, in a surprising turn of events, BTW, the Toshiba BT adapter actually physically broke today, and I had to get a new one. :) Well, the same procedure still works. – Ilari Kajaste – 2011-01-11T11:06:16.253

It may sometimes happen that Windows needs 2 reboots to completely do its stuff. Thanks for the bounty, and have fun! – harrymc – 2011-01-11T11:30:52.887

The keys are not visible to the admin, you should open the registry as the system account:

This is for Windows 7 on a ThinkPad with thinkpad bluetooth 4.0 adapter but might work with other windows systems

Download PsExec: http://technet.microsoft.com/en-us/sysinternals/bb897553.aspx

Unpack it to c:\portable\pstools\ open cmd click start, type cmd, press enter, inside the black and white window type:

c:\portable\pstools\psexec -s -i regedit

regedit opens up, navigate to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\

there you'll find MAC address of all of your bluetooth adapters, and under each adapter, are all the paired devices's MAC addresses with their link keys.

to figure your adapter's MAC address:

bluetooth settings> Hardware > ThinkPad Bluetooth 4.0 > Properties > Advanced > Address

to figure your device (keyboard/mouse) mac address:

Control Panel > Hardware and Sound > Devices and Printers > right click your device > Properties > Bluetooth > Unique Identifier

thezeroth

Posted 2011-01-06T18:57:11.553

Reputation: 61

From @Cristian: I used the methode described by thezeroth on my Xubuntu 15.10 / Windows 8 dualboot machine and it work like a charm. The only thing is that on Xubuntu the pairing key was not in the mentioned file but in a file called Info inside a subfolder named after the unique identifier a the mouse (a logitech M535). Other than that, perfect solution. – fixer1234 – 2015-11-10T00:32:36.437

I had exactly the same problem, so I found this post and now want to share my experience. If you have android smartphone that task might be actually much more easy since pairing linkkey should be present on both of your devices.

The most useful tool is the ADB from Android SDK.

Let's assume the phone have XX^6 address and PC -- YY^6

$ adb shell
~ # find|grep linkkeys
~ # ./data/misc/bluetoothd/XX:XX:XX:XX:XX:XX/linkkeys
~ # cat ./data/misc/bluetoothd/XX:XX:XX:XX:XX:XX/linkkeys
YY:YY:YY:YY:YY:YY 393FCA48F0DB57AA4D59F423E4EA60D5 5 -1
~ #

Thus you can just pick the key from that file and put it into similar file on your PC:

pc $ sudo -s
pc # cat /var/lib/bluetooth/YY:YY:YY:YY:YY:YY/linkkeys
XX:XX:XX:XX:XX:XX 393FCA48F0DB57AA4D59F423E4EA60D5 5 0

This way seems to be most easy as linux and android usually use the same bluez bluetooth stack.

Still, if you personally despise such a technique, there is another way for getting the key from the windows registry provided standard windows drivers are used. I did receive that security message dialog, so I used "chntpw" native linux utility which allows one to reset the password or edit the windows registry file. The file requiered was "windows\system32\config\SYSTEM".

Here it goes:

$ chntpw -e SYSTEM
blah-blah-blah
> cd ControlSet001\services\BTHPORT\Parameters\Keys\yyyyyyyyyyyy
(...)\BTHPORT\Parameters\Keys\5cac4c10c4f1> ls
Node has 0 subkeys and 1 values
  size     type            value name             [value if type DWORD]
     16  REG_BINARY        <xxxxxxxxxxxx>

(...)\BTHPORT\Parameters\Keys\5cac4c10c4f1> hex xxxxxxxxxxxx
Value <xxxxxxxxxxxx> of type REG_BINARY, data length 16 [0x10]
:00000  39 3F CA 48 F0 DB 57 AA 4D 59 F4 23 E4 EA 60 D5 9?.H..W.MY.#..`.

As you can see that is exactly the same numbers as in files above. Hope it will help future generations.

Spirit keeper

Posted 2011-01-06T18:57:11.553

Reputation: 31

Is your device rooted/has BusyBox installed? The "find" command failed. – None – 2015-03-16T05:45:28.587

For the reference, on Microsoft Bluetooth stack, the link keys are located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\aabbccddeeff where aabbccddeeff is your Bluetooth adapter. Since the adapter is already installed, this key should exist.

Within that key, you can have multiple REG_BINARY values, where the value name is the paired device's MAC address (in same form -- hex, lowercase, no separators) and the value is the link key (16 bytes).

To pick up the link keys from OS X, perform (in OSX Terminal) defaults read /private/var/root/Library/Preferences/blued.plist. Within LinkKeys, you should have a link key per MAC address of a paired device. The keys are base64-encoded so do: echo -n 'aabbcc...==' | base64 -d | hexdump -C and type this key into your Windows registry.

Ilya

Posted 2011-01-06T18:57:11.553

Reputation: 1 584

-1

PsExec.exe -s -i regedit /E %cd%\btkeys_export.txt "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys"

keep_it_simple

Posted 2011-01-06T18:57:11.553

Reputation: 1

Welcome to Super User! Could you elaborate on this? Perhaps edit your answer to explain what you are describing and why you are making that suggestion. Thanks! – bertieb – 2018-06-19T00:03:06.607