How to get system info from a Windows system partition without booting it?

You will find this information from the registry hives, located in various folders under %SystemRoot%, which is C:\Windows.

The HKEY_LOCAL_MACHINE hive is located under %SystemRoot%\System32\Config\Software and contains information about hardware. Every branch under this key is stored in a separate hive file.

The HKEY_USERS hive is located in %SystemRoot%\Users and contains information about the user accounts.

More detailed information can be found by just examining the contents of the above registry hives.

For documentation, you could start from :

• hivexsh(1) : Windows Registry hive shell on Linux
• Wikipedia Windows Registry
• Microsoft Windows registry information for advanced users

(This answer is only intended as a very initial pointer, and is by no means intended to serve as a forensics tutorial.)

There is a linux tool called chntpw which supposed to change the windows password: https://github.com/rescatux/chntpw

I have found a command line tool called reged is mentioned in the manual, which has the ability to dump the hive's content:
https://github.com/rescatux/chntpw/blob/master/MANUAL.txt#L114

The below command I could use to dump the hive mentioned by harrymc in his answer.

reged -x /media/noen/w10/Windows/System32/config/SYSTEM HKEY_LOCAL_MACHINE\\SYSTEM \\ /tmp/system.reg

Then it's possible to just search through it with usual tools/editors grep, less, vim whatever you like.
Few examples with grep:

~$ grep -i "ComputerName" /tmp/system.reg
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName]
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName]
"ComputerName"="DESKTOP-SIMNBR6"
"LastComputerName"="DESKTOP-SIMNBR6"
~$ grep "SystemVersion" /tmp/system.reg
"SystemVersion"="ThinkPad T450"
~$ grep "FriendlyName.*CPU" /tmp/system.reg
"FriendlyName"="Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz"
"FriendlyName"="Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz"
"FriendlyName"="Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz"
"FriendlyName"="Intel(R) Core(TM) i5-5300U CPU @ 2.30GHz"

This was enough for me to find out which PC the disk belonged to and whether I need to keep the data.

The method can be used to dump other parts than HKEY_LOCAL_MACHINE\SYSTEM, the whole registry or just specific keys. See usage of reged:

~$ reged --help
reged version 0.1 140201, (c) Petter N Hagen
reged: invalid option -- '-'
Modes:
-x <registryhivefile> <prefixstring> <key> <output.reg>
 Xport. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE
 <key> is key to dump (recursively), \ or \\ means all keys in hive
 Only one .reg and one hive file supported at the same time
-I <registryhivefile> <prefixstring> <input.reg>
 Import from .reg file. Where <prefixstring> for example is HKEY_LOCAL_MACHINE\SOFTWARE
 Only one .reg and one hive file supported at the same time
-e <registryhive> ...
 Interactive edit one or more of registry files
Options:
-L : Log changed filenames to /tmp/changed, also auto-saves
-C : Auto-save (commit) changed hives without asking
-N : No allocate mode, only allow edit of existing values with same size
-E : No expand mode, do not expand hive file (safe mode)
-t : Debug trace of allocated blocks
-v : Some more verbose messages

• The chntpw package is part of Ubuntu universe ppa and can be installed with sudo apt install chntpw. Also available for most major distros: pkgs.org/download/chntpw

  spinpwr

  – spinpwr

  2024年09月17日 09:07:39 +00:00

  Commented Sep 17, 2024 at 9:07

• windows
• disk-image
• boot-partition
• system-info