Solved

windows 8 files from disc image

Posted on 2014-12-30
5
213 Views
Last Modified: 2015-01-06
are there any specific files you could pull from an image of a HDD, that you could run through another utility, to get a reporta full list of software installed on a windows 8 machine?

Also, are there any files you could pull from a disc image, to run through another utility, to get a report of the local security policy settings on a windows 8 PC (specifically interested in the auditing settings configuration).
0
Comment
Question by:pma111
5 Comments
 
LVL 90

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 40523585
If the image is a backup image to reinstall Windows, then the image will boot, setup the hard drive and install Windows including setting up the registry.

So I think it most unlikely you could pull configuration settings out of such an image. There is no native Windows 8 tool to do this.

Someone may know of a third party tool to do such a thing.
0
 
LVL 3

Author Comment

by:pma111
ID: 40523662
In this instance, image refers to an *.E01 format used by forensics software guidance software encase
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40523921
Sorry, but it should be obvious that not everyone here is familiar with your imaging software, so please tell us if you can even mount the file system without having to restore it. If you can, of course there are ways to analyse that.
For software, you can
-look at the program files path yourself (recommended)
-read out the (mounted) registry hive HKLM\software (manually our automated, but don't ask me what software can do this - there will be one)

As for the local security policy settings, you would have to look at the contents of C:\Windows\System32\GroupPolicy\ or copy that folder to another machine as explained here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f53de1d9-da21-4b36-b099-a30f996fb405/local-group-policy-files
0
 
LVL 61

Accepted Solution

by:
btan earned 166 total points
ID: 40524892
ideally you can load the cloned image boot boot up verification and use tools as below

(a) gather s/w listing e.g.
- use of PsInfo -s @ http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
- use of WMI PS in specific to get From "Win32_Product" @ http://msdn.microsoft.com/en-us/library/aa394378%28VS.85%29.aspx (e.g. Get-WmiObject -Class "Win32_Product" | Export-CSV (Join-Path $home "Win32_Product.csv" or "wmic /output:C:\InstallList.txt product get name,version")
- exporting specific registry path as shared by experts, and can include below ( also do see below mention on 64 bit emulation) it has HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
(more good summary on registry @ http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry)
- use of other s/w (though it may not state WIn8 and will req some testing) such as SIW (http://www.gtopala.com/#axzz3NR48KKPv), MyUninstaller (http://www.nirsoft.net/utils/myuninst.html) or CCleaner (https://www.piriform.com/docs/ccleaner/ccleaner-how-tos/listing-installed-programs)

Good to note that native 64-bit apps write to HKLM\Software, and 32-bit apps write to HKLM\Software\WOW6432Node
The Wow6432 registry entry indicates that you're running a 64-bit version of Windows. The OS uses this key to present a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on a 64-bit version of Windows. When a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\<company>\<product> subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<company>\<product> subkey.
@ http://windowsir.blogspot.sg/2013/03/wow6432node-registry-redirection.html
See also the "Redirected, Shared, and Reflected" Keys Under WOW64
@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa384253%28v=vs.85%29.aspx

(b) gather policy setting e.g.
- use of GPResult.exe command line tool to verify all policy settings in effect for a specific user or computer @ http://technet.microsoft.com/en-us/library/cc733160.aspx#BKMK_Examples

But need to be wary there are also portable appls that can be inside machine but not installed. So better to check the app running in memory too..process explorer etc
0
 
LVL 61

Expert Comment

by:btan
ID: 40529769
Also to drill into powershell below are some good script shared in
I query both of my SharePoint Web Front End (WFE) servers by using Invoke-Command to execute the same Get-ItemProperty on the remote system’s HKLM PS Registry Provider:

Invoke-Command -cn wfe0, wfe1 -ScriptBlock {Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName, Publisher, InstallDate }
http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/15/use-powershell-to-find-installed-software.aspx

Also specifically a sample stated for "Get-InstalledApp.ps1"
Get-InstalledApp.ps1 outputs objects that contain the ComputerName, AppID, AppName, Publisher, and Version properties, so you can use PowerShell cmdlets to select, sort, and format the output to suit your needs. For example, the command

Get-InstalledApp | Select-Object AppName,Version |<br>  Sort-Object AppName
outputs a list of applications and each application's version, sorted by application name. If you want to create a comma-separated value (CSV) report of all software installed on each computer named in the file Computers.txt, you'd use the command

Get-InstalledApp (Get-Content Computers.txt) |<br>  Export-CSV Report.csv -notypeinformation
(The Export-CSV cmdlet's -NoTypeInformation parameter suppresses the type information in the CSV output.)
http://windowsitpro.com/powershell/what-applications-are-installed-computers-your-network
0

Featured Post

Promote certifications in your email signature

Has your company recently won an award or achieved a certification? They'll no doubt want to show it off. Email signature images used to promote certifications & awards can instantly establish credibility with a recipient and provide you with numerous benefits.

Join & Write a Comment

Nothing in an HTTP request can be trusted, including HTTP headers and form data.  A form token is a tool that can be used to guard against request forgeries (CSRF).  This article shows an improved approach to form tokens, making it more difficult to…
Find out what Office 365 Transport Rules are, how they work and their limitations managing Office 365 signatures.
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now