Get MAC-address from windows registry

i have registry from another machine and i need to extract mac-address from ethernet adapter

the adapter settings in HKEY_LOCAL_MACHINE\old_registry\ControlSet001\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0009

and there is parameter:

BIMacAdddress_l (REG_DWORD) = f315d433 and it is hexadecimal, decimal is 4078294067

when in submenu choose "Edit binary data" i see something like this:

0000 33 D4 15 F3 (and here is two some weird symbols)

33 D4 15 F3 looks like MAC address which is i looking for, but its only 8-characters, normal mac has 12 characters.

screenshot with registry tree:

So what i doing wrong?

kib0rg

Posted 2012-06-15T07:43:25.863

Reputation: 43

And how exactly did BIMacAdddress_h and BIMacAdddress_l come into existence? I did some research. It turns out these are named symbols in a PE called l160x64.sys which is a driver for Atheros L1 Gigabit Ethernet adapter. I am not surprised. This is exactly what we see in the screenshot. – Samir – 2019-09-30T22:27:12.767

You will normally not find the MAC address in the Windows registry. Not unless an administrator overrides the UAA address with an LAA address, in which case you will find a NetworkAddress field in one of the sub-keys of class key {4D36E972-E325-11CE-BFC1-08002bE10318}. What you have found is a hardly readable MAC address, which most likely has been registered by the NIC driver, unless you were doing some funny business and put it in there yourself. – Samir – 2019-09-30T22:33:41.463

By the way, "BI" as in BIMacAdddress_h stands for binary. It's meant to be readable by the operating system and possibly the NIC driver, not by humans. It's no wonder it's incomprehensible. – Samir – 2019-09-30T22:39:51.283

0000 33 D4 15 F3 means that you are starting at address 0000 and have four bytes in little endian order (reversed). hence you have the data f315d433. – Robert – 2012-06-15T12:00:56.620

Answers

I would assume that the MAC address is 00:18:f3:15:d4:33 (belongs to "Asustek" which is a mainboard manufacturer).

The trick is that the MAC address has 48bit and is saved splitted into a high (BIMacAddress_h) and a low (BIMacAddress_l) part. Therefore you have to combine both parts and then use the lower 48bits of the resulting 64bit number. Then you get the MAC address above.

Robert

Posted 2012-06-15T07:43:25.863

Reputation: 4 857

I can confirm your assumtion is 100% correct. – Ramhound – 2012-06-15T14:01:16.573

if this is true, why I'm reading "Atheros" in the DriverDesc and ProviderName (in the screenshot) ? which is a network device manufacturer – None – 2012-06-17T18:59:39.543

I a mainboard manufacturer like Asustek buys network chips for their mainboards they often change the MAC address to one of their own pool. Therefore I don'T see a problem in having an Atheros LAN chip with an Asustek MAC address. – Robert – 2012-06-18T07:28:42.883

-1

Hey the four zeroes are also considered as the mac address and therefore its a valid mac - 000033D415F3 .

TRonZ

Posted 2012-06-15T07:43:25.863

Reputation: 1

This answer is not correct. You need to combine BIMacAddress_h and BIMacAddress_l in order to get the correct MAC address. BIMacAddress_l is equal to f315d433 thus 33:d4:14:f3 is the second half of the address. The first part is 00000018 which is 00:18 combine them and you have the correct address. – Ramhound – 2012-06-15T14:05:21.717