Computer Hope
Microsoft => Microsoft Windows => Windows XP => Topic started by: michaewlewis on June 05, 2007, 03:44:43 PM
-
How can you get system info from a hard drive taken from another system without booting into it?
For example, I have some hard drives that have 2k or xp installed on them. I put them into an external harddrive so I can back up data from them or just view the contents. Sometimes I lose track of which computer they came out of. How can I find the computer name, domain, ip address, etc. from them? Is this info stored in a file on the drive, or in the registry?
-
Don't have an answer to your question but a suggestion. Each time I pull a drive from a machine I label it..where it came from / OS, etc. Saves on the gray matter later ;D
Alan <>< :D
-
ya... that's a smart idea. Unfortunately I didn't think about that one until I had hdd's from 5 different pcs :P
-
How can you get system info from a hard drive taken from another system without booting into it?
For example, I have some hard drives that have 2k or xp installed on them. I put them into an external harddrive so I can back up data from them or just view the contents. Sometimes I lose track of which computer they came out of. How can I find the computer name, domain, ip address, etc. from them? Is this info stored in a file on the drive, or in the registry?
You could slave them, and then look at the files on them.
If you've got IDE drives, you can get two on each chain, so presuming you have 2 IDE controllers, you could check 3 drives at a time, seeing as you'll be leaving the primary master alone (C:).
-
You could slave them, and then look at the files on them.
If you've got IDE drives, you can get two on each chain, so presuming you have 2 IDE controllers, you could check 3 drives at a time, seeing as you'll be leaving the primary master alone (C:).
???
Didn't I already say I have them connected (via usb)? I can't boot with them, if that's what you mean. Some are windows 2k and I have different hardware. Booting with them wouldn't work at all.
-
Windows Registry contains all information about system.
Forensic examination tools such as EnCase allow examination of registry files.
Example
Key HKEY_LOCAL_MACHINE
HKLM contains per-computer (computer-specific) settings which apply to all users logging into that particular
computer.
Subkey HARDWARE
Stores information regarding hardware Windows XP detects during startup. The subkeys are
dynamically created during system startup. They include information on device driver and
associated resources.
-
So can you access the registry for a system on a different hdd that's not booted?
If so, how?
-
Look in \Windows\System32\Config on the slave drive for a file called software.sav
You need to read this. It tells you all you need to know.
http://www.asociacion-aecsi.es/doc/Network/Microsoft_Windows_XP_Registry_Guide.pdf
-
Thanks, I'll have a look at it...
By the way, what search terms did you use? Thanks,
-
Well, I typed "Examine registry slave disk" into Google minus the quotes, I already knew about software.sav so I added that as well
registry slave disk software.sav
gives some handy looking links
-
You could slave them, and then look at the files on them.
If you've got IDE drives, you can get two on each chain, so presuming you have 2 IDE controllers, you could check 3 drives at a time, seeing as you'll be leaving the primary master alone (C:).
???
Didn't I already say I have them connected (via usb)? I can't boot with them, if that's what you mean. Some are windows 2k and I have different hardware. Booting with them wouldn't work at all.
Not what I meant at all. And what you said before was about as clear as mud, but anyway.
A slave won't be what you boot from. But when you do have a system, any system, up and running, you should be able to view what is on the slaved drive. So if there were certain documents on the computer that gave a clue as to where it came from, then you wouldn't have to F around with the registry.