Where IP Data is Stored for Network Cards under Windows

Version 0.4.10, Copyright (C) 1998, 1999, 2000, 2001, 2004, 2005 by Richard Dawe
Last updated 2005-10-09.
This document can be distributed freely, so long as it is unmodified.

The information in this document may not be entirely accurate. If you have any corrections or additions, please mail me.

Contents

[Introduction] [Windows 3.11] [Windows '95 & '98] [Windows NT] [Windows 2000]
[Miscellaneous] [Links] [Credits] [Version History]


Introduction

A Friendly Warning

This documented was written by looking at Windows' private files. As such, this validity of the document depends very much on Microsoft not changing how Windows stores its IP data. You should also be aware that this document is heavily tied to Microsoft's TCP/IP stacks. Stacks by other companies may not store data in the same way.

Since the first versions of this documenat, Microsoft has produced an API to retrieve/modify IP data. As far as know, this only works with Windows '98 and Windows NT 4 (with Service Pack 3 or 4?). The IP helper API, IPHLPAPI, is documented here:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iphlp/iphlp/about_ip_helper.asp

Apparently there is also a reliable way to get the IP address and subnet mask on "all" versions of Windows ('95 and later, I think) using the WASIoctl() function. Here are a link to a Knowledge Base article and a link to some source code, to do this:

http://www.kbalertz.com/kb_186312.aspx
http://download.microsoft.com/download/platformsdk/sample31/1/W9XNT4/EN-US/Intrfc.exe

(Thanks to Aleksandar Radulovic for these links.)

Microsoft tends to reorganise its web site now and then, so these may have moved. If so, please tell me.

With the huge disclaimers out of the way, let's get onto the fun...

Definitions

Definitions tend to vary between platforms. So to be clear, here are some definitions:

Node name
The short name for the computer, e.g. 'fred'
Domain name
The DNS domain that the computer is in, e.g. 'flintstone.com'
Host name
The combination of the node and domain names, e.g. 'fred.flinstone.com'.

Microsoft and Unix seems to have differing definitions of the above. Microsoft stores the node name in a variable called 'HostName' or similar. This confused me for some time. I will use the Unix definition of a host name, the above defined above.

Request for Information

If anyone has information on the following, I would be very grateful if they could share it with me:

[Top]


Windows 3.11

This information was supplied by Ove Kaaven - thanks.

Under Windows 3.11, network card information is stored in "system.ini" in the Windows directory (e.g. c:\windows\system.ini). The list of available network cards is stored in a key called "Interfaces" in the section "MSTCP", as illustrated by this example extract:

	[MSTCP]
	Interfaces=MyCard1,MyCard2

There is a section for each interface, named after the interface, e.g. for the example above there will be two interface sections: MyCard1, MyCard2. The IP information is stored as follows in the section(s):

Continuing the above example we have:

	[MyCard1]
	IPAddress=192.168.0.2
	IPMask=255.255.255.0
	DefaultGateway=192.168.0.1
	NameServer1=192.168.0.10
	NameServer2=192.168.0.11
	...

An alternative method for obtaining the DNS server IP addresses is to read the "DNSServers" key of the "DNS" section, which contains a comma-separated list of DNS IP addresses, e.g.:

	[DNS]
	DNSServers=192.168.0.10,192.168.0.11

One can also obtain the node and domain names from this section from the keys "HostName" and "DomainName" respectively, e.g.:

	[DNS]
	HostName=foo
	DomainName=bar.com

[Top]


Windows '95 & '98

I discovered this information by searching the Windows registry and running the winipcfg utility provided with Windows. I think this will apply to Windows '98 too, but I do not have it, so I can't confirm this.

Under Windows '95, the network card settings are stored in the registry in many places:

  1. HKEY_LOCAL_MACHINE\Enum\Root, HKEY_LOCAL_MACHINE\Enum\ISAPNP, HKEY_LOCAL_MACHINE\Enum\PCI

    These contain references to all the network devices installed.

  2. HKEY_LOCAL_MACHINE\Enum\Network\MSTCP

    This contains references to all the interfaces in NetTrans that the MSTCP driver looks after.

  3. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net

    This contains information for all network interfaces, e.g. Ethernet card(s), dial-up, etc.

  4. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Nettrans

    This contains information for all network card-protocol combinations, i.e. for the protocol bindings. There is one subkey per binding, so there may be many subkeys. This will probably contain information on NetBIOS, etc. too.

  5. HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP

    The MSTCP section seems to deal with only network cards with fixed details, i.e. not for DHCP over Ethernet or dial-up links.

  6. HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCP, HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCPOptions

    This contains information for network cards configured via DHCP (Dynamic Host Configuration Protocol).

Network Device Enumeration Key Information

HKEY_LOCAL_MACHINE\Enum\Root
HKEY_LOCAL_MACHINE\Enum\ISAPNP
HKEY_LOCAL_MACHINE\Enum\PCI

These sections contain information about all network devices (even dial-up or virtual adapters) in the system as well as all (?) other devices. Each device type has an enumeration, so that multiple devices of the same type can be present. So keys for a particular instance of device are of the form:

HKEY_LOCAL_MACHINE\Enum\Root\DeviceName\nnnn
or
HKEY_LOCAL_MACHINE\Enum\ISAPNP\DeviceName\xxxx
or
HKEY_LOCAL_MACHINE\Enum\PCI\DeviceName\yyyy

where DeviceName is the device name (e.g. *PNP0500 off the Root enum, VEN_1022&DEV_2000 off the PCI enum), nnnn is the instance number of the device (e.g. 0002) and yyyy is the PCI device identifier (e.g BUS_00&DEV_10&FUNC_00).

TODO: What is the xxxx for ISAPNP?

Each nnnn, xxxx or yyyy key has a value called "Class", which is set to "Net" for network devices.

Once a network device has been found, its binding to various services can be obtained:

MSTCP Key Information

HKEY_LOCAL_MACHINE\Enum\Network\MSTCP

The MSTCP driver handles all the interfaces referenced here. It contains a set of subkeys numbered with four digits, e.g "0000", "0001", etc. The "Driver" value of these subkeys references a NetTrans key that describes the interface-TCP/IP binding.

Nettrans Key Information

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Nettrans

The information for each protocol bound to a network card is stored in a subkey per binding. These subkeys have names that consist of four digits, e.g. "0000", as in an enumeration. I believe these digits are decimal, not hexidecimal. (On my machine another subkey of Class had more than ten four-digit subkeys, and these were numbered decimally.)

Each of these binding subkeys has a value called "DriverDesc", which gives a brief description of the binding. For TCP/IP this is, unsurprisingly, "TCP/IP".

TCP/IP binding subkeys have three relevant keys: "IPAddress", "IPMask" and "DefaultGateway". These contain the IP address, IP network mask and gateway IP address in string-format, e.g. "192.168.0.2". For IP addresses assigned via DHCP (Dynamic Host Configuration Protocol), the IP address and IP network mask will be "0.0.0.0", e.g. for dial-up links.

Net Key Information

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net

The key numbering, e.g. "0000", doesn't necessarily correspond to that in the Enumerated MSTCP key above. You must use the network device enumeration to find the appropriate keys.

By looking at this key, you can deduce what kind of network interface, e.g. Ethernet, dial-up, is used by the corresponding NetTrans key. For instance, if a NetTrans key has an IPAddress of 0.0.0.0, you cannot tell whether this is DHCP Ethernet connection or a dial-up link until this key is examined.

The values "DeviceVxDs" and "DriverDesc" show what type of interface it is. "DeviceVxDs" will be "pppmac.vxd" for dial-up interfaces and or, for Ethernet, dependent on the network card name. "DriverDesc" is perhaps more reliable and will be "Dial-Up Adapter" for dial-up links. If even this does not satisfy you, the "Lower" value of the "Ndi\Interfaces" subkey will probably be "vcomm" for dial-up links. Note there are several assumptions here:

One of these assumptions should be true.

So, one can determine the type of interface as follows:

  1. Does it have an IP address in the NetTrans subkey? Yes => Ethernet, No => DHCP Ethernet or dial-up
  2. Does it have the characteristics of a dial-up connection in the Net subkey? Yes => Dial-up, No => DHCP Ethernet

MSTCP VxD Key Information

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP

The meaning of (some of) the values of this key are:

DHCP Information

I have found & tested this information using a DHCP server for Linux. I do not know whether the vendor extensions I mention are available from all DHCP servers, but I would be surprised if they are not.

HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCP

The data are stored in a multiple subkeys. The root subkey, the one that is always present, is called "DhcpInfo0/" on my system. The other keys, the ones that contain data for each card, are called "DhcpInfonn", where nn is the number of the network card starting from 0 with prefixed zeros (e.g. 00).

Some of the data of interest in this subkey are all stored as binary values. In the case of IP addresses, they are actually DWORDs, stored in network order. The data are:

One can also obtain the DNS IP addresses and the host and domain names. However, these are BOOTP vendor extensions and may not be implemented (see RFC 2132). Futhermore, the host name may not have the local domain name attached, i.e. it may be the node name. The vendor extension values appear to be stored in a key called "OptionInfo". The information is stored in the following format:

<Option number byte> <Data length byte> <Data bytes>

The option number for the DNS IP address(es) is 6. The length should then be a multiple of four, the size of an IP address. The number of IP addresses clearly is length/4. The option number for the router (aka gateway) IP addresses is 3. These are stored like the DNS IP addresses.

The option numbers for the host and domain names are 12 and 15 respectively. The host and domain names are nul terminated.

HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCPOptions

Like the DHCP key above, DHCPOptions has one or more subkeys. The names of these appears less logical: on my system I had one subkey called "02", but multiple subkeys with names like "00050331652" have been reported. At the moment I do not know of a way of detecting which of these subkeys is active (see the comment for the "Valid" value below).

It appears that these keys are not relevant. I think that the DHCP options are parsed on receipt and stored off the HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCP key, as described above.

Note: The rest of this section has been preserved for informational purposes.

These subkeys contains the following data of interest in DWORD form:

The Bane of Dial-Up Links

Hopefully by now you can see that the IP data for network cards can be obtained from the registry. Dial-up links are not so simple unfortunately. Only some dial-up information is stored in the registry, namely static IP data for dial-up links. This is stored as part of the Remote Access Service (RAS) data stored in the registry. Algons Hoogervorst has documented this (and more) in his ipdata.txt document.

Windows '95 seems to provide fake MAC addresses for dial-up adapters. These are of the form of:

{ 0x44, 0x45, 0x53, 0x54, a, b }

where 'a' and 'b' are the two last bytes. The dial-up adapters are numbered sequentially, i.e.

{ a, b } = { 0, 0 }, { a, b } = { 0, 1 }

etc. Incidentally, the MAC address seems to be the one piece of information you can't get from the registry for static IP network cards! Several "hacks" (IMHO ;) ) exist - see the Winsock Programmer's FAQ.

How to Parse Windows '95's IP Data

It's easier than I make it sound ;) I will use HKLM as an abbreviation for HKEY_LOCAL_MACHINE in the following:

  1. Find all available network device instances in HKLM\Enum\Root.

  2. For each network device, get the name of its Net and MSTCP keys. If it does not have an MSTCP key, ignore the device.

  3. From the MSTCP key, get the name of its NetTrans key.

  4. Check the IP address in the NetTrans key. If it's the null IP (0.0.0.0), examine its Net key to find out, if it's a dial-up link. If it's not a dial-up link, then examine the DHCP keys. Otherwise, it's a static address. If it's a dial-up link, then it's tricky to get address data.

  5. Get global IP data from the TCP VxD's key.

  6. Pass go, collect 200 Pounds and take some Prozac to get over this gnarly journey through the registry ;)

[Top]


Windows NT

Network Cards

This info was supplied by Tobias Lind - thanks. It is for Windows NT 4. Windows NT 3.x & may be substantially different. Windows 2000 is covered below.

Windows NT stores its configuration data in the registry. A list of network cards is stored under this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Each network card has a subkey. The "ServiceName" value of each subkey identifies the name of the network card's service.

The TCP/IP information can be found under the network card's service key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceName\Parameters\Tcpip

The IP addresses are stored as ASCII strings.

WAN Interfaces

This is the "NdisWan Adapter", the equivalent of the PPP adapter in Windows '9x.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisWan4

The data may be stored under this key in the same way as for the Windows 2000 WAN Interfaces - please mail me if you have information on this.

[Top]


Windows 2000

This info was supplied by Noël Danjou - thanks.

Network Cards

Like Windows NT, Windows 2000 stores its configuration data in the registry. A list of network cards is stored under this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Each network card has a subkey with values. The "Description" value contains a human-friendly description. The "ServiceName" value contains a GUID (globally-unique identifier?) (cf. Windows NT, which has a name here).

The IP data for the network card is then found off this key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces

Each network has a key of the form "{GUID}", e.g. "{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", where each "x" represents a hexidecimal digit. Each of the GUID keys has values for lease times, subnet masks and IP addresses. For IP addresses there are two possible values:

WAN Interfaces

This is the "NdisWan Adapter", the equivalent of the PPP adapter in Windows '9x.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp

Under this key is a value called "IpConfig" of type REG_MULTI_SZ, which is an array of key names relative to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services, e.g.:

Tcpip\Parameters\Interfaces\{GUID-1}
Tcpip\Parameters\Interfaces\{GUID-2}
Tcpip\Parameters\Interfaces\{GUID-3}
Tcpip\Parameters\Interfaces\{GUID-4}

where {GUID-n} is of the form {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} mentioned above. It appears that the last entry is always the valid one when one is connected. From the relative key name, you can obtain the key where the IP address information is stored, e.g.:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID-4}

The IP information is stored in the same way as for network cards, i.e. "IpAddress" or "DhcpIpAddress" is present.

[Top]


Miscellaneous

winipcfg

winipcfg is a utility provided with Windows '95 & '98, which can be used to display Windows's IP configuration. It can be run like so:

winipcfg /all

A window should appear, showing you details of the IP configuration, including adapter types, DHCP leases, etc.

winipcfg can write its information to a file using the /batch option, e.g.

winipcfg /all /batch winipcfg.out

The output from winipcfg should be easy to parse. Here is what I get on my system:

Windows 98 IP Configuration

        Host Name . . . . . . . . . : athena.int.phekda.freeserve.co.uk
        DNS Servers . . . . . . . . : 192.168.4.1
        Node Type . . . . . . . . . : Hybrid
        NetBIOS Scope ID. . . . . . :
        IP Routing Enabled. . . . . : No
        WINS Proxy Enabled. . . . . : No
        NetBIOS Resolution Uses DNS : Yes

0 Ethernet adapter :

        Description . . . . . . . . : PPP Adapter.
        Physical Address. . . . . . : 44-45-53-54-00-00
        DHCP Enabled. . . . . . . . : Yes
        IP Address. . . . . . . . . : 0.0.0.0
        Subnet Mask . . . . . . . . : 0.0.0.0
        Default Gateway . . . . . . :
        DHCP Server . . . . . . . . : 255.255.255.255
        Primary WINS Server . . . . :
        Secondary WINS Server . . . :
        Lease Obtained. . . . . . . :
        Lease Expires . . . . . . . :

1 Ethernet adapter :

        Description . . . . . . . . : NETGEAR FA310TX Fast Ethernet PCI Adapter
        Physical Address. . . . . . : 00-A0-CC-D2-84-D1
        DHCP Enabled. . . . . . . . : No
        IP Address. . . . . . . . . : 192.168.4.2
        Subnet Mask . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . : 192.168.4.1
        Primary WINS Server . . . . :
        Secondary WINS Server . . . :
        Lease Obtained. . . . . . . :
        Lease Expires . . . . . . . :

Windows NT & 2000 have an equivalent utility called ipconfig. You may also want to look at TDIQ, which is a cross-platform (well, cross-Windows version) of winipcfg & ipconfig.

[Top]


Links

[Top]


Credits

[Top]


Version History

[Top]


If you have any (constructive) comments, please e-mail me on webmaster@phekda.org.