How to get the operating system using registry file

Question

3.00/5 (2 votes)

See more:

I wanted to extract the operating system information using offline registry(Software) file.

Am able to read the file,but is there any structure to move to that location where exactly i can get that information.

Can any one help me regarding this way????

Am a forensic investigator where i got a system's hard-disk.
I connected that disk to my system using that disk data i need to get the information of operating system on that connected disk.

"C:\Windows\System32\config\software"
This is the file path..

Posted 6-Aug-13 22:01pm

P Uday kishore

Updated 12-Aug-13 0:12am

v4

Add a Solution

Comments

H.Brydon 7-Aug-13 10:40am

Good question. +5 from me...

[no name] 7-Aug-13 11:19am

This may help http://code.google.com/p/reglookup/

mbue 7-Aug-13 12:56pm

why dont you examine the os version from system files version?
ps: remember not all registry informations are stored on disk!

Richard MacCutchan 7-Aug-13 13:04pm

Given the extra information you have added above, it is reasonable to assume that looking for registry hives has nothing to do with your problem. What you need is to mount the disk onto a system that has the ability to recognise different formats. Linux is generally quite good at this but you may still need to get hold of some specialist software to help you. I would suggest spending some time with our good friend Google to see what suggestions you can find.

Richard MacCutchan 12-Aug-13 7:17am

You have added some information to your question but it really does not mean anything. The issue you face is finding some software that can read the disk even if it is from a foreign source. I suggest you re-read my previous suggestion and get googling.

3 solutions

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

max_nowak · Answer 1 · 2013-08-06T22:12:00

You'd better use simply the WinApi for this purpose.

Try GetVersionEx. See here

EDIT:
This is how you get the version from the registry:

C++

LPCTSTR version;
HKEY hKey;
if (::RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"), 0, KEY_QUERY_VALUE, &hKey) == ERROR_SUCCESS)
{
	TCHAR szData[256];
	DWORD dwKeyDataType;
	DWORD dwDataBufSize = 256;
	if (::RegQueryValueEx(hKey, _T("CurrentVersion"), NULL, &dwKeyDataType, (BYTE*) &szData, &dwDataBufSize) == ERROR_SUCCESS)
	{
		if(dwKeyDataType == REG_SZ)
		{
			version = szData;
		}
	}
}

Here's the mapping for the version numbers

Operating system        Version number
-----------------       --------------
Windows 8                   6.2
Windows Server 2012         6.2
Windows 7                   6.1
Windows Server 2008 R2      6.1
Windows Server 2008         6.0
Windows Vista               6.0
Windows Server 2003 R2      5.2
Windows Server 2003         5.2
Windows XP 64-Bit Edition   5.2
Windows XP                  5.1
Windows 2000                5.0

I hope this was helpful

Richard MacCutchan · Answer 2 · 2013-08-06T22:11:00

Solution 1

The exact structure of the registry hives is Microsoft private. You should use the Registry functions[^] to get the information you require. You can start with the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion key which contains the information about the Windows version.

Posted 6-Aug-13 22:11pm

Richard MacCutchan

Comments

Hawkfuture 7-Aug-13 6:19am

That's the point

Richard MacCutchan 7-Aug-13 6:40am

What?

P Uday kishore 7-Aug-13 8:10am

ya i know this path.from registry hive i can see it.but i need to read the offline file there i need help to read to move there.

Richard MacCutchan 7-Aug-13 8:37am

Assuming by "offline file" you mean a stored hive, then I am not sure, although this link has some suggestions.

H.Brydon 7-Aug-13 10:39am

I think he means that the operating system in question is not booted/running. See my response to pwasser...

Philippe Mori · Answer 3 · 2013-08-14T03:03:00

I would forget about reading the registry manually. It is probably a very complex file format which is not documented.

If the disk is dead, then why you need to get the OS from it. Backup data files and forget about the OS. Anyway, there might be a sticker on the computer box or you may have restore disks, or a restore partition or someone might remember the OS.

It might be much easier to get information from a well known EXE or DLL file on the system by reading file properties.

How to get the operating system using registry file

3 solutions

Solution 2

Solution 1

Solution 3

Add your solution here

Preview 0