Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

windows 8 files from disc image

Posted on 2014-12-30
5
Medium Priority
?
297 Views
Last Modified: 2015-01-06
are there any specific files you could pull from an image of a HDD, that you could run through another utility, to get a reporta full list of software installed on a windows 8 machine?

Also, are there any files you could pull from a disc image, to run through another utility, to get a report of the local security policy settings on a windows 8 PC (specifically interested in the auditing settings configuration).
0
Comment
Question by:pma111
5 Comments
 
LVL 99

Assisted Solution

by:John Hurst
John Hurst earned 668 total points
ID: 40523585
If the image is a backup image to reinstall Windows, then the image will boot, setup the hard drive and install Windows including setting up the registry.

So I think it most unlikely you could pull configuration settings out of such an image. There is no native Windows 8 tool to do this.

Someone may know of a third party tool to do such a thing.
0
 
LVL 3

Author Comment

by:pma111
ID: 40523662
In this instance, image refers to an *.E01 format used by forensics software guidance software encase
0
 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 668 total points
ID: 40523921
Sorry, but it should be obvious that not everyone here is familiar with your imaging software, so please tell us if you can even mount the file system without having to restore it. If you can, of course there are ways to analyse that.
For software, you can
-look at the program files path yourself (recommended)
-read out the (mounted) registry hive HKLM\software (manually our automated, but don't ask me what software can do this - there will be one)

As for the local security policy settings, you would have to look at the contents of C:\Windows\System32\GroupPolicy\ or copy that folder to another machine as explained here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f53de1d9-da21-4b36-b099-a30f996fb405/local-group-policy-files
0
 
LVL 65

Accepted Solution

by:
btan earned 664 total points
ID: 40524892
ideally you can load the cloned image boot boot up verification and use tools as below

(a) gather s/w listing e.g.
- use of PsInfo -s @ http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
- use of WMI PS in specific to get From "Win32_Product" @ http://msdn.microsoft.com/en-us/library/aa394378%28VS.85%29.aspx (e.g. Get-WmiObject -Class "Win32_Product" | Export-CSV (Join-Path $home "Win32_Product.csv" or "wmic /output:C:\InstallList.txt product get name,version")
- exporting specific registry path as shared by experts, and can include below ( also do see below mention on 64 bit emulation) it has HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
(more good summary on registry @ http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry)
- use of other s/w (though it may not state WIn8 and will req some testing) such as SIW (http://www.gtopala.com/#axzz3NR48KKPv), MyUninstaller (http://www.nirsoft.net/utils/myuninst.html) or CCleaner (https://www.piriform.com/docs/ccleaner/ccleaner-how-tos/listing-installed-programs)

Good to note that native 64-bit apps write to HKLM\Software, and 32-bit apps write to HKLM\Software\WOW6432Node
The Wow6432 registry entry indicates that you're running a 64-bit version of Windows. The OS uses this key to present a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on a 64-bit version of Windows. When a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\<company>\<product> subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<company>\<product> subkey.
@ http://windowsir.blogspot.sg/2013/03/wow6432node-registry-redirection.html
See also the "Redirected, Shared, and Reflected" Keys Under WOW64
@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa384253%28v=vs.85%29.aspx

(b) gather policy setting e.g.
- use of GPResult.exe command line tool to verify all policy settings in effect for a specific user or computer @ http://technet.microsoft.com/en-us/library/cc733160.aspx#BKMK_Examples

But need to be wary there are also portable appls that can be inside machine but not installed. So better to check the app running in memory too..process explorer etc
0
 
LVL 65

Expert Comment

by:btan
ID: 40529769
Also to drill into powershell below are some good script shared in
I query both of my SharePoint Web Front End (WFE) servers by using Invoke-Command to execute the same Get-ItemProperty on the remote system’s HKLM PS Registry Provider:

Invoke-Command -cn wfe0, wfe1 -ScriptBlock {Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName, Publisher, InstallDate }
http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/15/use-powershell-to-find-installed-software.aspx

Also specifically a sample stated for "Get-InstalledApp.ps1"
Get-InstalledApp.ps1 outputs objects that contain the ComputerName, AppID, AppName, Publisher, and Version properties, so you can use PowerShell cmdlets to select, sort, and format the output to suit your needs. For example, the command

Get-InstalledApp | Select-Object AppName,Version |<br>  Sort-Object AppName
outputs a list of applications and each application's version, sorted by application name. If you want to create a comma-separated value (CSV) report of all software installed on each computer named in the file Computers.txt, you'd use the command

Get-InstalledApp (Get-Content Computers.txt) |<br>  Export-CSV Report.csv -notypeinformation
(The Export-CSV cmdlet's -NoTypeInformation parameter suppresses the type information in the CSV output.)
http://windowsitpro.com/powershell/what-applications-are-installed-computers-your-network
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
Phishing emails are a popular malware delivery vehicle for attack.  While there are many ways for an attacker to increase the chances of success for their phishing emails, one of the most effective methods involves spoofing the message to appear to …
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
If you’ve ever visited a web page and noticed a cool font that you really liked the look of, but couldn’t figure out which font it was so that you could use it for your own work, then this video is for you! In this Micro Tutorial, you'll learn yo…

824 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question