Version 0.4.10, Copyright (C) 1998, 1999, 2000, 2001, 2004, 2005 by
Richard Dawe
Last updated 2005-10-09.
This document can be distributed freely, so long as it is unmodified.
The information in this document may not be entirely accurate. If you have any corrections or additions, please mail me.
[Introduction]
[Windows 3.11]
[Windows '95 & '98]
[Windows NT]
[Windows 2000]
[Miscellaneous]
[Links]
[Credits]
[Version History]
This documented was written by looking at Windows' private files. As such, this validity of the document depends very much on Microsoft not changing how Windows stores its IP data. You should also be aware that this document is heavily tied to Microsoft's TCP/IP stacks. Stacks by other companies may not store data in the same way.
Since the first versions of this documenat, Microsoft has produced an API to retrieve/modify IP data. As far as know, this only works with Windows '98 and Windows NT 4 (with Service Pack 3 or 4?). The IP helper API, IPHLPAPI, is documented here:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/iphlp/iphlp/about_ip_helper.asp
Apparently there is also a reliable way to get the IP address and subnet mask on "all" versions of Windows ('95 and later, I think) using the WASIoctl() function. Here are a link to a Knowledge Base article and a link to some source code, to do this:
http://www.kbalertz.com/kb_186312.aspx
http://download.microsoft.com/download/platformsdk/sample31/1/W9XNT4/EN-US/Intrfc.exe
(Thanks to Aleksandar Radulovic for these links.)
Microsoft tends to reorganise its web site now and then, so these may have moved. If so, please tell me.
With the huge disclaimers out of the way, let's get onto the fun...
Definitions tend to vary between platforms. So to be clear, here are some definitions:
Microsoft and Unix seems to have differing definitions of the above. Microsoft stores the node name in a variable called 'HostName' or similar. This confused me for some time. I will use the Unix definition of a host name, the above defined above.
If anyone has information on the following, I would be very grateful if they could share it with me:
This information was supplied by Ove Kaaven - thanks.
Under Windows 3.11, network card information is stored in "system.ini" in the Windows directory (e.g. c:\windows\system.ini). The list of available network cards is stored in a key called "Interfaces" in the section "MSTCP", as illustrated by this example extract:
[MSTCP] Interfaces=MyCard1,MyCard2
There is a section for each interface, named after the interface, e.g. for the example above there will be two interface sections: MyCard1, MyCard2. The IP information is stored as follows in the section(s):
Continuing the above example we have:
[MyCard1] IPAddress=192.168.0.2 IPMask=255.255.255.0 DefaultGateway=192.168.0.1 NameServer1=192.168.0.10 NameServer2=192.168.0.11 ...
An alternative method for obtaining the DNS server IP addresses is to read the "DNSServers" key of the "DNS" section, which contains a comma-separated list of DNS IP addresses, e.g.:
[DNS] DNSServers=192.168.0.10,192.168.0.11
One can also obtain the node and domain names from this section from the keys "HostName" and "DomainName" respectively, e.g.:
[DNS] HostName=foo DomainName=bar.com
I discovered this information by searching the Windows registry and running the winipcfg utility provided with Windows. I think this will apply to Windows '98 too, but I do not have it, so I can't confirm this.
Under Windows '95, the network card settings are stored in the registry in many places:
HKEY_LOCAL_MACHINE\Enum\Root, HKEY_LOCAL_MACHINE\Enum\ISAPNP, HKEY_LOCAL_MACHINE\Enum\PCI
These contain references to all the network devices installed.
HKEY_LOCAL_MACHINE\Enum\Network\MSTCP
This contains references to all the interfaces in NetTrans that the MSTCP driver looks after.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net
This contains information for all network interfaces, e.g. Ethernet card(s), dial-up, etc.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Nettrans
This contains information for all network card-protocol combinations, i.e. for the protocol bindings. There is one subkey per binding, so there may be many subkeys. This will probably contain information on NetBIOS, etc. too.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP
The MSTCP section seems to deal with only network cards with fixed details, i.e. not for DHCP over Ethernet or dial-up links.
HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCP, HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCPOptions
This contains information for network cards configured via DHCP (Dynamic Host Configuration Protocol).
HKEY_LOCAL_MACHINE\Enum\Root
HKEY_LOCAL_MACHINE\Enum\ISAPNP
HKEY_LOCAL_MACHINE\Enum\PCI
These sections contain information about all network devices (even dial-up or virtual adapters) in the system as well as all (?) other devices. Each device type has an enumeration, so that multiple devices of the same type can be present. So keys for a particular instance of device are of the form:
HKEY_LOCAL_MACHINE\Enum\Root\DeviceName\nnnn
or
HKEY_LOCAL_MACHINE\Enum\ISAPNP\DeviceName\xxxx
or
HKEY_LOCAL_MACHINE\Enum\PCI\DeviceName\yyyy
where DeviceName is the device name (e.g. *PNP0500 off the Root enum, VEN_1022&DEV_2000 off the PCI enum), nnnn is the instance number of the device (e.g. 0002) and yyyy is the PCI device identifier (e.g BUS_00&DEV_10&FUNC_00).
TODO: What is the xxxx for ISAPNP?
Each nnnn, xxxx or yyyy key has a value called "Class", which is set to "Net" for network devices.
Once a network device has been found, its binding to various services can be obtained:
The Net key (under Class, see below) associated with the network device can be found by examining the "Driver" value of nnnn. It should contain a string like "Net\0000".
The MSTCP key (see below) associated with the network device can be found by enumerating the values under the "Bindings" subkey of nnnn. If there is an MSTCP association, there will be a value like "MSTCP\0000".
HKEY_LOCAL_MACHINE\Enum\Network\MSTCP
The MSTCP driver handles all the interfaces referenced here. It contains a set of subkeys numbered with four digits, e.g "0000", "0001", etc. The "Driver" value of these subkeys references a NetTrans key that describes the interface-TCP/IP binding.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Nettrans
The information for each protocol bound to a network card is stored in a subkey per binding. These subkeys have names that consist of four digits, e.g. "0000", as in an enumeration. I believe these digits are decimal, not hexidecimal. (On my machine another subkey of Class had more than ten four-digit subkeys, and these were numbered decimally.)
Each of these binding subkeys has a value called "DriverDesc", which gives a brief description of the binding. For TCP/IP this is, unsurprisingly, "TCP/IP".
TCP/IP binding subkeys have three relevant keys: "IPAddress", "IPMask" and "DefaultGateway". These contain the IP address, IP network mask and gateway IP address in string-format, e.g. "192.168.0.2". For IP addresses assigned via DHCP (Dynamic Host Configuration Protocol), the IP address and IP network mask will be "0.0.0.0", e.g. for dial-up links.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Class\Net
The key numbering, e.g. "0000", doesn't necessarily correspond to that in the Enumerated MSTCP key above. You must use the network device enumeration to find the appropriate keys.
By looking at this key, you can deduce what kind of network interface, e.g. Ethernet, dial-up, is used by the corresponding NetTrans key. For instance, if a NetTrans key has an IPAddress of 0.0.0.0, you cannot tell whether this is DHCP Ethernet connection or a dial-up link until this key is examined.
The values "DeviceVxDs" and "DriverDesc" show what type of interface it is. "DeviceVxDs" will be "pppmac.vxd" for dial-up interfaces and or, for Ethernet, dependent on the network card name. "DriverDesc" is perhaps more reliable and will be "Dial-Up Adapter" for dial-up links. If even this does not satisfy you, the "Lower" value of the "Ndi\Interfaces" subkey will probably be "vcomm" for dial-up links. Note there are several assumptions here:
One of these assumptions should be true.
So, one can determine the type of interface as follows:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\VxD\MSTCP
The meaning of (some of) the values of this key are:
I have found & tested this information using a DHCP server for Linux. I do not know whether the vendor extensions I mention are available from all DHCP servers, but I would be surprised if they are not.
HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCP
The data are stored in a multiple subkeys. The root subkey, the one that is always present, is called "DhcpInfo0/" on my system. The other keys, the ones that contain data for each card, are called "DhcpInfonn", where nn is the number of the network card starting from 0 with prefixed zeros (e.g. 00).
Some of the data of interest in this subkey are all stored as binary values. In the case of IP addresses, they are actually DWORDs, stored in network order. The data are:
One can also obtain the DNS IP addresses and the host and domain names. However, these are BOOTP vendor extensions and may not be implemented (see RFC 2132). Futhermore, the host name may not have the local domain name attached, i.e. it may be the node name. The vendor extension values appear to be stored in a key called "OptionInfo". The information is stored in the following format:
<Option number byte> <Data length byte> <Data bytes>
The option number for the DNS IP address(es) is 6. The length should then be a multiple of four, the size of an IP address. The number of IP addresses clearly is length/4. The option number for the router (aka gateway) IP addresses is 3. These are stored like the DNS IP addresses.
The option numbers for the host and domain names are 12 and 15 respectively. The host and domain names are nul terminated.
HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCPOptions
Like the DHCP key above, DHCPOptions has one or more subkeys. The names of these appears less logical: on my system I had one subkey called "02", but multiple subkeys with names like "00050331652" have been reported. At the moment I do not know of a way of detecting which of these subkeys is active (see the comment for the "Valid" value below).
It appears that these keys are not relevant. I think that the DHCP options are parsed on receipt and stored off the HKEY_LOCAL_MACHINE\System\CurrentControl\Services\VxD\DHCP key, as described above.
Note: The rest of this section has been preserved for informational purposes.
These subkeys contains the following data of interest in DWORD form:
"Valid" - This is either 0 (DHCP information invalid) or 1 (DHCP information valid). This does not seem to indicate that DHCP is being used. On my system I have disabled DHCP, but it's still "valid".
"LastGateWay" - This is used as the gateway IP address for the network.
This is ignored if any gateway options have been set for the network card. IMHO this is a bug. I think the DHCP options for the gateway should override or at least add to those specified in the Control Panel.
This is constructed from a DHCP vendor extension. Only one gateway is set up here, I think. How this is selected if there are multiple DHCP-configured cards, I do not know.
Hopefully by now you can see that the IP data for network cards can be obtained from the registry. Dial-up links are not so simple unfortunately. Only some dial-up information is stored in the registry, namely static IP data for dial-up links. This is stored as part of the Remote Access Service (RAS) data stored in the registry. Algons Hoogervorst has documented this (and more) in his ipdata.txt document.
Windows '95 seems to provide fake MAC addresses for dial-up adapters. These are of the form of:
{ 0x44, 0x45, 0x53, 0x54, a, b }
where 'a' and 'b' are the two last bytes. The dial-up adapters are numbered sequentially, i.e.
{ a, b } = { 0, 0 }, { a, b } = { 0, 1 }
etc. Incidentally, the MAC address seems to be the one piece of information you can't get from the registry for static IP network cards! Several "hacks" (IMHO ;) ) exist - see the Winsock Programmer's FAQ.
It's easier than I make it sound ;) I will use HKLM as an abbreviation for HKEY_LOCAL_MACHINE in the following:
Find all available network device instances in HKLM\Enum\Root.
For each network device, get the name of its Net and MSTCP keys. If it does not have an MSTCP key, ignore the device.
From the MSTCP key, get the name of its NetTrans key.
Check the IP address in the NetTrans key. If it's the null IP (0.0.0.0), examine its Net key to find out, if it's a dial-up link. If it's not a dial-up link, then examine the DHCP keys. Otherwise, it's a static address. If it's a dial-up link, then it's tricky to get address data.
Get global IP data from the TCP VxD's key.
Pass go, collect 200 Pounds and take some Prozac to get over this gnarly journey through the registry ;)
This info was supplied by Tobias Lind - thanks. It is for Windows NT 4. Windows NT 3.x & may be substantially different. Windows 2000 is covered below.
Windows NT stores its configuration data in the registry. A list of network cards is stored under this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
Each network card has a subkey. The "ServiceName" value of each subkey identifies the name of the network card's service.
The TCP/IP information can be found under the network card's service key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ServiceName\Parameters\Tcpip
The IP addresses are stored as ASCII strings.
This is the "NdisWan Adapter", the equivalent of the PPP adapter in Windows '9x.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NdisWan4
The data may be stored under this key in the same way as for the Windows 2000 WAN Interfaces - please mail me if you have information on this.
This info was supplied by Noël Danjou - thanks.
Like Windows NT, Windows 2000 stores its configuration data in the registry. A list of network cards is stored under this key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards
Each network card has a subkey with values. The "Description" value contains a human-friendly description. The "ServiceName" value contains a GUID (globally-unique identifier?) (cf. Windows NT, which has a name here).
The IP data for the network card is then found off this key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces
Each network has a key of the form "{GUID}", e.g. "{xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx}", where each "x" represents a hexidecimal digit. Each of the GUID keys has values for lease times, subnet masks and IP addresses. For IP addresses there are two possible values:
"IpAddress" of type REG_MULTI_SZ (multiple nul-terminated strings), which contains all the static IP addresses or "0.0.0.0" if there are none;
"DhcpIpAddress" (optional) of type REG_SZ (nul-terminated string), which contains the dynamic IP address.
This is the "NdisWan Adapter", the equivalent of the PPP adapter in Windows '9x.
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Adapters\NdisWanIp
Under this key is a value called "IpConfig" of type REG_MULTI_SZ, which is an array of key names relative to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services, e.g.:
Tcpip\Parameters\Interfaces\{GUID-1} Tcpip\Parameters\Interfaces\{GUID-2} Tcpip\Parameters\Interfaces\{GUID-3} Tcpip\Parameters\Interfaces\{GUID-4}
where {GUID-n} is of the form {xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx} mentioned above. It appears that the last entry is always the valid one when one is connected. From the relative key name, you can obtain the key where the IP address information is stored, e.g.:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{GUID-4}
The IP information is stored in the same way as for network cards, i.e. "IpAddress" or "DhcpIpAddress" is present.
winipcfg is a utility provided with Windows '95 & '98, which can be used to display Windows's IP configuration. It can be run like so:
winipcfg /all
A window should appear, showing you details of the IP configuration, including adapter types, DHCP leases, etc.
winipcfg can write its information to a file using the /batch option, e.g.
winipcfg /all /batch winipcfg.out
The output from winipcfg should be easy to parse. Here is what I get on my system:
Windows 98 IP Configuration Host Name . . . . . . . . . : athena.int.phekda.freeserve.co.uk DNS Servers . . . . . . . . : 192.168.4.1 Node Type . . . . . . . . . : Hybrid NetBIOS Scope ID. . . . . . : IP Routing Enabled. . . . . : No WINS Proxy Enabled. . . . . : No NetBIOS Resolution Uses DNS : Yes 0 Ethernet adapter : Description . . . . . . . . : PPP Adapter. Physical Address. . . . . . : 44-45-53-54-00-00 DHCP Enabled. . . . . . . . : Yes IP Address. . . . . . . . . : 0.0.0.0 Subnet Mask . . . . . . . . : 0.0.0.0 Default Gateway . . . . . . : DHCP Server . . . . . . . . : 255.255.255.255 Primary WINS Server . . . . : Secondary WINS Server . . . : Lease Obtained. . . . . . . : Lease Expires . . . . . . . : 1 Ethernet adapter : Description . . . . . . . . : NETGEAR FA310TX Fast Ethernet PCI Adapter Physical Address. . . . . . : 00-A0-CC-D2-84-D1 DHCP Enabled. . . . . . . . : No IP Address. . . . . . . . . : 192.168.4.2 Subnet Mask . . . . . . . . : 255.255.255.0 Default Gateway . . . . . . : 192.168.4.1 Primary WINS Server . . . . : Secondary WINS Server . . . : Lease Obtained. . . . . . . : Lease Expires . . . . . . . :
Windows NT & 2000 have an equivalent utility called ipconfig. You may also want to look at TDIQ, which is a cross-platform (well, cross-Windows version) of winipcfg & ipconfig.
Alfons Hoogervorst has compiled some complementary information on obtaining IP data for dial-up links into ipdata.txt. He takes a much lower-level and more detailed approach than this document.
Winsock Programmer's FAQ - This is always a good place to look for help with Winsock network programming.
TDIQ is utility similar to winipcfg on Windows '9x and ipconfig on Windows NT, 2000. It is a cross-platform replacement for winipcfg/ipconfig, because it works on Windows '95, '98, Windows NT and Windows 2000.
Microsoft's IP helper API documentation - the IP helper API is now the official way of obtaining IP information.
0.4.10 (2005-10-09) - Update link to Knowledge Base article - thanks to Aleksandar Radulovic.
0.4.9 (2004-07-03) - Update my e-mail address. Update the link for the IP helper API and add some links on how to get the IP address and subnet mask reliably - thanks to Aleksandar Radulovic.
0.4.8 (2004-01-15) - The IP helper API address is broken.
0.4.7 (2001-10-17) - Updated the IP helper API address - thanks to Mark Williams for telling me the new one.
0.4.6 (2000-12-10) - Updates because I now have Windows '98; added description of winipcfg, ipconfig.
0.4.5 (2000-09-09) - Updated Windows '95 DHCP sections after further coding by me and testing by Tim Van Holder. DHCPOptions key information is now marked as "informational"
0.4.4 (2000-08-20) - Updated Windows '95 network card & DHCP sections based on information from Tim Van Holder.
0.4.3 (2000-05-27) - IPHLPAPI documentation moved; updated URL.
0.4.2 (2000-04-17) - Discovered that PCI network cards have their information stored under a different subkey of Enum than ISA network cards (Win95 OSR 2.1 under VMware).
0.4.1 (2000-03-22) - WAN interface information added.
0.4.0 (2000-03-03) - Windows 2000 information was added. Added link for TDIQ.
0.3.0 (1999-12-24) - Windows NT information was added. I discovered that the Windows '95 information was stored differently! The new structure seems more self-consistent, because it definitely links all the network cards to their IP data. Previously their association felt like a "coincidence". Added Winsock Programmer's FAQ link.
0.2.1 (1999-07-17) - I added a link to Microsoft's IP helper API documentation. Thanks to my anonymous source for reminding me of its existence ;)
0.2.0- I made of lots of changes after discovering how all the Windows '95 TCP/IP registry keys relate to each other.
0.1.1 & earlier - Er, I can't remember.