Just to clarify, do you mean the MBR rather than MFT?
Yeah, MBR…sorry.
Okay, I split the tools off into two separate tools.
The output of one looks like this
DeviceID \\.\PHYSICALDRIVE1
Model WDC WD12 00UE-00KVT0 USB Device
Interface USB
Media Fixed hard disk media
Capabilities
Random Access
Supports Writing
Signature 0x96244465
\\.\PHYSICALDRIVE1 Partition Info
Disk #1, Partition #0
Installable File System
Primary Partition
Again, the "Signature" value tells us the value written to the MBR, and can be used to tie a specific drive to a system via the MountedDevices key.
The output of the second tool looks like this (please forgive the formatting)
Drive Type File System Path Free Space
—– —– ———– —– ———-
C\ Fixed NTFS 21.33 GB
D\ Fixed NTFS 41.99 GB
E\ CD-ROM 0.00
G\ Fixed NTFS 46.91 GB
This is for logical drives, and presents some interesting info. This tool has some switches, and the '-c' switch lets you send the output to CSV format…if you do, it will include the volume name and volume serial number.
Both tools use WMI, and can be run against remote managed systems, for inventory purposes. I also see them being used in acquisition and chain-of-custody forms.
H
Another technique is to use msinfo32.exe. This approach has a couple of draw backs 1- you can not selective pull category data from the command line invocation, 2- inorder to get selective data you have use cut and paste. Maybe "H's" script is quicker. I just like pulling all the data at once - that way I have all the specifics in one file. I only wish the drives serial numbers were part of the data.
To use msinfo32 from command line Note the standard Path varible will not get you to the executable.
Create shell window "Start Menu -> Run "cmd.exe". The execute the msinfo32.exe from the shell windows.
"C\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /category ComponentsStorageDisks
When the System Information appears click in the description window and select everything Crtl-A, copy Crtl-C and then paste into document.
You can even select the Drives Categories and obtain all the drive designations and locations.
When I do audits I dump all the msinfo data to a file "C\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe" /report c\audit\directory\ComputerName_msinfo.txt
Are you looking to share these tools with other people.
I would be interested in trying them out and seeing if the information provided is better than what we produce now from just a physical examination.
> Are you looking to share these tools with other people.
Yes, for those who are interested.
> …seeing if the information provided…
The information provided is listed above, in a previous post.
Thanks,
Harlan
H,
Any way of reporting the serial number of the hard drive in your tool?
hdparm can do this but not if the drive is attached via usb.
Jon,
I posted on the previous page what's available via WMI…that's about it, aside from some of the size values, but MS also says in their WMI docs that some of those values aren't valid.
H
I posted on the previous page what's available via WMI.
I googled for a possible answer regarding hard drive serial number.
Jon,
Good job! I can probably find some way to map the Win32_PhysicalMedia objects into the mix…
Thanks!
Harlan
Jon,
After writing some code, most of the stuff is coming up blanks…