2

I have some disk/disk-images of previous Windows installations from different machines (some of them from machines I don't own any longer).

I'm trying to find out which machine these used to be in. Mounting them I can find out usernames from /Users/.. directories, which could give some hint, but not always enough..

Question:
How can I find out system and hardware info from the Windows system drive data?
e.g: hostname, CPU etc.

I suppose these are stored on the disk somewhere, but the tools I know only works on a booted system.
Preferably I'd like to do this from Linux, but Windows tools could be also useful.

spinpwr
  • 131

2 Answers2

2

You will find this information from the registry hives, located in various folders under %SystemRoot%, which is C:\Windows.

The HKEY_LOCAL_MACHINE hive is located under %SystemRoot%\System32\Config\Software and contains information about hardware. Every branch under this key is stored in a separate hive file.

The HKEY_USERS hive is located in %SystemRoot%\Users and contains information about the user accounts.

More detailed information can be found by just examining the contents of the above registry hives.

For documentation, you could start from :

(This answer is only intended as a very initial pointer, and is by no means intended to serve as a forensics tutorial.)

harrymc
  • 498,455
1

There is a linux tool called chntpw which supposed to change the windows password: https://github.com/rescatux/chntpw

I have found a command line tool called reged is mentioned in the manual, which has the ability to dump the hive's content:
https://github.com/rescatux/chntpw/blob/master/MANUAL.txt#L114

The below command I could use to dump the hive mentioned by harrymc in his answer.

reged -x /media/noen/w10/Windows/System32/config/SYSTEM HKEY_LOCAL_MACHINE\\SYSTEM \\ /tmp/system.reg

Then it's possible to just search through it with usual tools/editors grep, less, vim whatever you like.
Few examples with grep:

~$ grep -i "ComputerName" /tmp/system.reg
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName]
"ComputerName"="DESKTOP-SIMNBR6"
"LastComputerName"="DESKTOP-SIMNBR6"

~$ grep "SystemVersion" /tmp/system.reg
"SystemVersion"="ThinkPad T450"


~$ grep "FriendlyName.*CPU" /tmp/system.reg
"FriendlyName"="Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz"
"FriendlyName"="Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz"
"FriendlyName"="Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz"
"FriendlyName"="Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz"

This was enough for me to find out which PC the disk belonged to and whether I need to keep the data.

The method can be used to dump other parts than HKEY_LOCAL_MACHINE\SYSTEM, the whole registry or just specific keys. See usage of reged:

~$ reged --help
reged version 0.1 140201, (c) Petter N Hagen
reged: invalid option -- '-'

Modes:
-x <registryhivefile> <prefixstring> <key> <output.reg>
   Xport. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE
   <key> is key to dump (recursively), \ or \ means all keys in hive
   Only one .reg and one hive file supported at the same time
-I <registryhivefile> <prefixstring> <input.reg>
   Import from .reg file. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE
   Only one .reg and one hive file supported at the same time
-e <registryhive> ...
   Interactive edit one or more of registry files


Options:
-L : Log changed filenames to /tmp/changed, also auto-saves
-C : Auto-save (commit) changed hives without asking
-N : No allocate mode, only allow edit of existing values with same size
-E : No expand mode, do not expand hive file (safe mode)
-t : Debug trace of allocated blocks
-v : Some more verbose messages
spinpwr
  • 131