Solved

windows 8 files from disc image

Posted on 2014-12-30
5
232 Views
Last Modified: 2015-01-06
are there any specific files you could pull from an image of a HDD, that you could run through another utility, to get a reporta full list of software installed on a windows 8 machine?

Also, are there any files you could pull from a disc image, to run through another utility, to get a report of the local security policy settings on a windows 8 PC (specifically interested in the auditing settings configuration).
0
Comment
Question by:pma111
5 Comments
 
LVL 93

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 40523585
If the image is a backup image to reinstall Windows, then the image will boot, setup the hard drive and install Windows including setting up the registry.

So I think it most unlikely you could pull configuration settings out of such an image. There is no native Windows 8 tool to do this.

Someone may know of a third party tool to do such a thing.
0
 
LVL 3

Author Comment

by:pma111
ID: 40523662
In this instance, image refers to an *.E01 format used by forensics software guidance software encase
0
 
LVL 54

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40523921
Sorry, but it should be obvious that not everyone here is familiar with your imaging software, so please tell us if you can even mount the file system without having to restore it. If you can, of course there are ways to analyse that.
For software, you can
-look at the program files path yourself (recommended)
-read out the (mounted) registry hive HKLM\software (manually our automated, but don't ask me what software can do this - there will be one)

As for the local security policy settings, you would have to look at the contents of C:\Windows\System32\GroupPolicy\ or copy that folder to another machine as explained here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f53de1d9-da21-4b36-b099-a30f996fb405/local-group-policy-files
0
 
LVL 62

Accepted Solution

by:
btan earned 166 total points
ID: 40524892
ideally you can load the cloned image boot boot up verification and use tools as below

(a) gather s/w listing e.g.
- use of PsInfo -s @ http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
- use of WMI PS in specific to get From "Win32_Product" @ http://msdn.microsoft.com/en-us/library/aa394378%28VS.85%29.aspx (e.g. Get-WmiObject -Class "Win32_Product" | Export-CSV (Join-Path $home "Win32_Product.csv" or "wmic /output:C:\InstallList.txt product get name,version")
- exporting specific registry path as shared by experts, and can include below ( also do see below mention on 64 bit emulation) it has HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
(more good summary on registry @ http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry)
- use of other s/w (though it may not state WIn8 and will req some testing) such as SIW (http://www.gtopala.com/#axzz3NR48KKPv), MyUninstaller (http://www.nirsoft.net/utils/myuninst.html) or CCleaner (https://www.piriform.com/docs/ccleaner/ccleaner-how-tos/listing-installed-programs)

Good to note that native 64-bit apps write to HKLM\Software, and 32-bit apps write to HKLM\Software\WOW6432Node
The Wow6432 registry entry indicates that you're running a 64-bit version of Windows. The OS uses this key to present a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on a 64-bit version of Windows. When a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\<company>\<product> subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<company>\<product> subkey.
@ http://windowsir.blogspot.sg/2013/03/wow6432node-registry-redirection.html
See also the "Redirected, Shared, and Reflected" Keys Under WOW64
@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa384253%28v=vs.85%29.aspx

(b) gather policy setting e.g.
- use of GPResult.exe command line tool to verify all policy settings in effect for a specific user or computer @ http://technet.microsoft.com/en-us/library/cc733160.aspx#BKMK_Examples

But need to be wary there are also portable appls that can be inside machine but not installed. So better to check the app running in memory too..process explorer etc
0
 
LVL 62

Expert Comment

by:btan
ID: 40529769
Also to drill into powershell below are some good script shared in
I query both of my SharePoint Web Front End (WFE) servers by using Invoke-Command to execute the same Get-ItemProperty on the remote system’s HKLM PS Registry Provider:

Invoke-Command -cn wfe0, wfe1 -ScriptBlock {Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName, Publisher, InstallDate }
http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/15/use-powershell-to-find-installed-software.aspx

Also specifically a sample stated for "Get-InstalledApp.ps1"
Get-InstalledApp.ps1 outputs objects that contain the ComputerName, AppID, AppName, Publisher, and Version properties, so you can use PowerShell cmdlets to select, sort, and format the output to suit your needs. For example, the command

Get-InstalledApp | Select-Object AppName,Version |<br>  Sort-Object AppName
outputs a list of applications and each application's version, sorted by application name. If you want to create a comma-separated value (CSV) report of all software installed on each computer named in the file Computers.txt, you'd use the command

Get-InstalledApp (Get-Content Computers.txt) |<br>  Export-CSV Report.csv -notypeinformation
(The Export-CSV cmdlet's -NoTypeInformation parameter suppresses the type information in the CSV output.)
http://windowsitpro.com/powershell/what-applications-are-installed-computers-your-network
0

Featured Post

Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

On Beyond Tools A conversation I recently had with the DevOps manager of a major online retailer really made me think about DevOps monitoring tools (https://www.onpage.com/devops-incident-management-tool/). The manager and I discussed how sever…
Data breaches are on the rise, and companies are preparing by boosting their cybersecurity budgets. According to the Cybersecurity Market Report (http://www.cybersecurityventures.com/cybersecurity-market-report), worldwide spending on cybersecurity …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question