Solve : where is system info stored??

1.	Solve : where is system info stored??
Answer» How can you get system info from a hard drive taken from another system without booting into it? For example, I have some hard drives that have 2k or xp installed on them. I put them into an external harddrive so I can back up data from them or just view the contents. Sometimes I lose track of which computer they came out of. How can I find the computer name, domain, ip address, etc. from them? Is this info stored in a file on the drive, or in the registry?Don't have an answer to your question but a suggestion. Each time I pull a drive from a machine I label it..where it came from / OS, etc. Saves on the gray matter later Alan <>< ya... that's a smart idea. Unfortunately I didn't think about that one until I had hdd's from 5 DIFFERENT PCS Quote from: michaewlewis on June 05, 2007, 03:44:43 PM How can you get system info from a hard drive taken from another system without booting into it? For example, I have some hard drives that have 2k or xp installed on them. I put them into an external harddrive so I can back up data from them or just view the contents. Sometimes I lose track of which computer they came out of. How can I find the computer name, domain, ip address, etc. from them? Is this info stored in a file on the drive, or in the registry? You could slave them, and then look at the files on them. If you've got IDE drives, you can get two on each chain, so presuming you have 2 IDE controllers, you could check 3 drives at a time, seeing as you'll be leaving the primary master alone (C:).Quote from: Sid on June 06, 2007, 03:13:03 PM You could slave them, and then look at the files on them. If you've got IDE drives, you can get two on each chain, so presuming you have 2 IDE controllers, you could check 3 drives at a time, seeing as you'll be leaving the primary master alone (C:). Didn't I already say I have them connected (via usb)? I can't boot with them, if that's what you mean. Some are windows 2k and I have different hardware. Booting with them wouldn't work at all. Windows Registry contains all INFORMATION about system. Forensic examination tools such as EnCase allow examination of registry files. Example Key HKEY_LOCAL_MACHINE HKLM contains per-computer (computer-specific) settings which apply to all users logging into that particular computer. Subkey HARDWARE Stores information regarding hardware Windows XP detects during startup. The subkeys are dynamically created during system startup. They include information on device driver and associated resources.So can you access the registry for a system on a different hdd that's not booted? If so, how? Look in \Windows\System32\Config on the slave drive for a file called software.sav You need to read this. It TELLS you all you need to know. http://www.asociacion-aecsi.es/doc/Network/Microsoft_Windows_XP_Registry_Guide.pdf Thanks, I'll have a look at it... By the way, what search terms did you use? Thanks,Well, I typed "Examine registry slave disk" into Google minus the quotes, I already knew about software.sav so I added that as well registry slave disk software.sav gives some handy looking links Quote from: michaewlewis on June 06, 2007, 03:23:35 PM Quote from: Sid on June 06, 2007, 03:13:03 PM You could slave them, and then look at the files on them. If you've got IDE drives, you can get two on each chain, so presuming you have 2 IDE controllers, you could check 3 drives at a time, seeing as you'll be leaving the primary master alone (C:). Didn't I already say I have them connected (via usb)? I can't boot with them, if that's what you mean. Some are windows 2k and I have different hardware. Booting with them wouldn't work at all. Not what I meant at all. And what you said before was about as clear as mud, but anyway. A slave won't be what you boot from. But when you do have a system, any system, up and running, you should be able to view what is on the slaved drive. So if there were certain documents on the computer that gave a clue as to where it came from, then you wouldn't have to F around with the registry.

Answer»

How can you get system info from a hard drive taken from another system without booting into it?
For example, I have some hard drives that have 2k or xp installed on them. I put them into an external harddrive so I can back up data from them or just view the contents. Sometimes I lose track of which computer they came out of. How can I find the computer name, domain, ip address, etc. from them? Is this info stored in a file on the drive, or in the registry?Don't have an answer to your question but a suggestion. Each time I pull a drive from a machine I label it..where it came from / OS, etc. Saves on the gray matter later

Alan <>< ya... that's a smart idea. Unfortunately I didn't think about that one until I had hdd's from 5 DIFFERENT PCS Quote from: michaewlewis on June 05, 2007, 03:44:43 PM

How can you get system info from a hard drive taken from another system without booting into it?
For example, I have some hard drives that have 2k or xp installed on them. I put them into an external harddrive so I can back up data from them or just view the contents. Sometimes I lose track of which computer they came out of. How can I find the computer name, domain, ip address, etc. from them? Is this info stored in a file on the drive, or in the registry?

You could slave them, and then look at the files on them.

If you've got IDE drives, you can get two on each chain, so presuming you have 2 IDE controllers, you could check 3 drives at a time, seeing as you'll be leaving the primary master alone (C:).Quote from: Sid on June 06, 2007, 03:13:03 PM

You could slave them, and then look at the files on them.

If you've got IDE drives, you can get two on each chain, so presuming you have 2 IDE controllers, you could check 3 drives at a time, seeing as you'll be leaving the primary master alone (C:).

Didn't I already say I have them connected (via usb)? I can't boot with them, if that's what you mean. Some are windows 2k and I have different hardware. Booting with them wouldn't work at all.
Windows Registry contains all INFORMATION about system.

Forensic examination tools such as EnCase allow examination of registry files.

Example

Key HKEY_LOCAL_MACHINE

HKLM contains per-computer (computer-specific) settings which apply to all users logging into that particular
computer.

Subkey HARDWARE

Stores information regarding hardware Windows XP detects during startup. The subkeys are
dynamically created during system startup. They include information on device driver and
associated resources.So can you access the registry for a system on a different hdd that's not booted?
If so, how?
Look in \Windows\System32\Config on the slave drive for a file called software.sav

You need to read this. It TELLS you all you need to know.

http://www.asociacion-aecsi.es/doc/Network/Microsoft_Windows_XP_Registry_Guide.pdf

Thanks, I'll have a look at it...
By the way, what search terms did you use? Thanks,Well, I typed "Examine registry slave disk" into Google minus the quotes, I already knew about software.sav so I added that as well

registry slave disk software.sav

gives some handy looking links

Quote from: michaewlewis on June 06, 2007, 03:23:35 PM

Quote from: Sid on June 06, 2007, 03:13:03 PM
You could slave them, and then look at the files on them.

If you've got IDE drives, you can get two on each chain, so presuming you have 2 IDE controllers, you could check 3 drives at a time, seeing as you'll be leaving the primary master alone (C:).

Didn't I already say I have them connected (via usb)? I can't boot with them, if that's what you mean. Some are windows 2k and I have different hardware. Booting with them wouldn't work at all.

Not what I meant at all. And what you said before was about as clear as mud, but anyway.

A slave won't be what you boot from. But when you do have a system, any system, up and running, you should be able to view what is on the slaved drive. So if there were certain documents on the computer that gave a clue as to where it came from, then you wouldn't have to F around with the registry.

Solve : where is system info stored??

Discussion

No Comment Found

Related InterviewSolutions

Reply to Comment