-
Notifications
You must be signed in to change notification settings - Fork 0
/
System Information Artifacts
23 lines (19 loc) · 1.33 KB
/
System Information Artifacts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
COMPUTERNAME:
Live System: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName
Offline system: %SystemRoot%\System32\config\SYSTEM
Powershell: Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" -Name *
WINDOWS VERSION:
Live System: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion
Offline system: %SystemRoot%\System32\config\SOFTWARE
Powershell: Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name *
TIMEZONE:
Live System: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Offline system: %SystemRoot%\System32\config\SYSTEM
Powershell: Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" -Name *
NETWORK INTERFACES:
Live System: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{INTERFACE_GUID}
Offline system: %SystemRoot%\System32\config\SYSTEM
Powershell: Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{"Network Interface ID"}" -Name *
USER PROFILES:
Live System: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVer-sion\ProfileList\{"SID"}
POWERSHELL: Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\*" | Select-Object -Property PSChildName, ProfileImagePath