windows 8 files from disc image

are there any specific files you could pull from an image of a HDD, that you could run through another utility, to get a reporta full list of software installed on a windows 8 machine?

Also, are there any files you could pull from a disc image, to run through another utility, to get a report of the local security policy settings on a windows 8 PC (specifically interested in the auditing settings configuration).
LVL 3
pma111Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
btanConnect With a Mentor Exec ConsultantCommented:
ideally you can load the cloned image boot boot up verification and use tools as below

(a) gather s/w listing e.g.
- use of PsInfo -s @ http://technet.microsoft.com/en-us/sysinternals/bb897550.aspx
- use of WMI PS in specific to get From "Win32_Product" @ http://msdn.microsoft.com/en-us/library/aa394378%28VS.85%29.aspx (e.g. Get-WmiObject -Class "Win32_Product" | Export-CSV (Join-Path $home "Win32_Product.csv" or "wmic /output:C:\InstallList.txt product get name,version")
- exporting specific registry path as shared by experts, and can include below ( also do see below mention on 64 bit emulation) it has HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
(more good summary on registry @ http://www.forensicfocus.com/a-forensic-analysis-of-the-windows-registry)
- use of other s/w (though it may not state WIn8 and will req some testing) such as SIW (http://www.gtopala.com/#axzz3NR48KKPv), MyUninstaller (http://www.nirsoft.net/utils/myuninst.html) or CCleaner (https://www.piriform.com/docs/ccleaner/ccleaner-how-tos/listing-installed-programs)

Good to note that native 64-bit apps write to HKLM\Software, and 32-bit apps write to HKLM\Software\WOW6432Node
The Wow6432 registry entry indicates that you're running a 64-bit version of Windows. The OS uses this key to present a separate view of HKEY_LOCAL_MACHINE\SOFTWARE for 32-bit applications that run on a 64-bit version of Windows. When a 32-bit application queries a value under the HKEY_LOCAL_MACHINE\SOFTWARE\<company>\<product> subkey, the application reads from the HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\<company>\<product> subkey.
@ http://windowsir.blogspot.sg/2013/03/wow6432node-registry-redirection.html
See also the "Redirected, Shared, and Reflected" Keys Under WOW64
@ http://msdn.microsoft.com/en-us/library/windows/desktop/aa384253%28v=vs.85%29.aspx

(b) gather policy setting e.g.
- use of GPResult.exe command line tool to verify all policy settings in effect for a specific user or computer @ http://technet.microsoft.com/en-us/library/cc733160.aspx#BKMK_Examples

But need to be wary there are also portable appls that can be inside machine but not installed. So better to check the app running in memory too..process explorer etc
0
 
John HurstConnect With a Mentor Business Consultant (Owner)Commented:
If the image is a backup image to reinstall Windows, then the image will boot, setup the hard drive and install Windows including setting up the registry.

So I think it most unlikely you could pull configuration settings out of such an image. There is no native Windows 8 tool to do this.

Someone may know of a third party tool to do such a thing.
0
 
pma111Author Commented:
In this instance, image refers to an *.E01 format used by forensics software guidance software encase
0
 
McKnifeConnect With a Mentor Commented:
Sorry, but it should be obvious that not everyone here is familiar with your imaging software, so please tell us if you can even mount the file system without having to restore it. If you can, of course there are ways to analyse that.
For software, you can
-look at the program files path yourself (recommended)
-read out the (mounted) registry hive HKLM\software (manually our automated, but don't ask me what software can do this - there will be one)

As for the local security policy settings, you would have to look at the contents of C:\Windows\System32\GroupPolicy\ or copy that folder to another machine as explained here: https://social.technet.microsoft.com/Forums/windowsserver/en-US/f53de1d9-da21-4b36-b099-a30f996fb405/local-group-policy-files
0
 
btanExec ConsultantCommented:
Also to drill into powershell below are some good script shared in
I query both of my SharePoint Web Front End (WFE) servers by using Invoke-Command to execute the same Get-ItemProperty on the remote system’s HKLM PS Registry Provider:

Invoke-Command -cn wfe0, wfe1 -ScriptBlock {Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* | select DisplayName, Publisher, InstallDate }
http://blogs.technet.com/b/heyscriptingguy/archive/2013/11/15/use-powershell-to-find-installed-software.aspx

Also specifically a sample stated for "Get-InstalledApp.ps1"
Get-InstalledApp.ps1 outputs objects that contain the ComputerName, AppID, AppName, Publisher, and Version properties, so you can use PowerShell cmdlets to select, sort, and format the output to suit your needs. For example, the command

Get-InstalledApp | Select-Object AppName,Version |<br>  Sort-Object AppName
outputs a list of applications and each application's version, sorted by application name. If you want to create a comma-separated value (CSV) report of all software installed on each computer named in the file Computers.txt, you'd use the command

Get-InstalledApp (Get-Content Computers.txt) |<br>  Export-CSV Report.csv -notypeinformation
(The Export-CSV cmdlet's -NoTypeInformation parameter suppresses the type information in the CSV output.)
http://windowsitpro.com/powershell/what-applications-are-installed-computers-your-network
0
All Courses

From novice to tech pro — start learning today.