Solved

windows 8 files from disc image

Posted on 2014-12-30
5
225 Views
Last Modified: 2015-01-06
are there any specific files you could pull from an image of a HDD, that you could run through another utility, to get a reporta full list of software installed on a windows 8 machine?

Also, are there any files you could pull from a disc image, to run through another utility, to get a report of the local security policy settings on a windows 8 PC (specifically interested in the auditing settings configuration).
0
Comment
Question by:pma111
5 Comments
 
LVL 92

Assisted Solution

by:John Hurst
John Hurst earned 167 total points
ID: 40523585
If the image is a backup image to reinstall Windows, then the image will boot, setup the hard drive and install Windows including setting up the registry.

So I think it most unlikely you could pull configuration settings out of such an image. There is no native Windows 8 tool to do this.

Someone may know of a third party tool to do such a thing.
0
 
LVL 3

Author Comment

by:pma111
ID: 40523662
In this instance, image refers to an *.E01 format used by forensics software guidance software encase
0
 
LVL 53

Assisted Solution

by:McKnife
McKnife earned 167 total points
ID: 40523921
Sorry, but it should be obvious that not everyone here is familiar with your imaging software, so please tell us if you can even mount the file system without having to restore it. If you can, of course there are ways to analyse that.
For software, you can
-look at the program files path yourself (recommended)
-read out the (mounted) registry hive HKLM\software (manually our automated, but don't ask me what software can do this - there will be one)

As for the local security policy settings, you would have to look at the contents of C:\Windows\System32\GroupPolicy\ or copy that folder to another machine as explained here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f53de1d9-da21-4b36-b099-a30f996fb405/local-group-policy-files
0
 
LVL 62

Accepted Solution

by:
btan earned 166 total points
ID: 40524892
ideally you can load the cloned image boot boot up verification and use tools as below

(a) gather s/w listing e.g.
- use of PsInfo -s @ http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
- use of WMI PS in specific to get From "Win32_Product" @ http://msdn.microsoft.com/en-us/library/aa394378%28VS.85%29.aspx (e.g. Get-WmiObject -Class "Win32_Product" | Export-CSV (Join-Path $home "Win32_Product.csv" or "wmic /output:C:\InstallList.txt product get name,version")
- exporting specific registry path as shared by experts, and can include below ( also do see below mention on 64 bit emulation) it has HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
(more good summary on registry @ http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry)
- use of other s/w (though it may not state WIn8 and will req some testing) such as SIW (http://www.gtopala.com/#axzz3NR48KKPv), MyUninstaller (http://www.nirsoft.net/utils/myuninst.html) or CCleaner (https://www.piriform.com/docs/ccleaner/ccleaner-how-tos/listing-installed-programs)

Good to note that native 64-bit apps write to HKLM\Software, and 32-bit apps write to HKLM\Software\WOW6432Node
The Wow6432 registry entry indicates that you're running a 64-bit version of Windows. The OS uses this key to present a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on a 64-bit version of Windows. When a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\<company>\<product> subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<company>\<product> subkey.
@ http://windowsir.blogspot.sg/2013/03/wow6432node-registry-redirection.html
See also the "Redirected, Shared, and Reflected" Keys Under WOW64
@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa384253%28v=vs.85%29.aspx

(b) gather policy setting e.g.
- use of GPResult.exe command line tool to verify all policy settings in effect for a specific user or computer @ http://technet.microsoft.com/en-us/library/cc733160.aspx#BKMK_Examples

But need to be wary there are also portable appls that can be inside machine but not installed. So better to check the app running in memory too..process explorer etc
0
 
LVL 62

Expert Comment

by:btan
ID: 40529769
Also to drill into powershell below are some good script shared in
I query both of my SharePoint Web Front End (WFE) servers by using Invoke-Command to execute the same Get-ItemProperty on the remote system’s HKLM PS Registry Provider:

Invoke-Command -cn wfe0, wfe1 -ScriptBlock {Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName, Publisher, InstallDate }
http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/15/use-powershell-to-find-installed-software.aspx

Also specifically a sample stated for "Get-InstalledApp.ps1"
Get-InstalledApp.ps1 outputs objects that contain the ComputerName, AppID, AppName, Publisher, and Version properties, so you can use PowerShell cmdlets to select, sort, and format the output to suit your needs. For example, the command

Get-InstalledApp | Select-Object AppName,Version |<br>  Sort-Object AppName
outputs a list of applications and each application's version, sorted by application name. If you want to create a comma-separated value (CSV) report of all software installed on each computer named in the file Computers.txt, you'd use the command

Get-InstalledApp (Get-Content Computers.txt) |<br>  Export-CSV Report.csv -notypeinformation
(The Export-CSV cmdlet's -NoTypeInformation parameter suppresses the type information in the CSV output.)
http://windowsitpro.com/powershell/what-applications-are-installed-computers-your-network
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
These days, all we hear about hacktivists took down so and so websites and retrieved thousands of user’s data. One of the techniques to get unauthorized access to database is by performing SQL injection. This article is quite lengthy which gives bas…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
In this video, we discuss why the need for additional vertical screen space has become more important in recent years, namely, due to the transition in the marketplace of 4x3 computer screens to 16x9 and 16x10 screens (so-called widescreen format). …

896 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now