Does anyone have any ideas on how to quickly acquire the install date of vista on a machine.
As I understand that they key is held in the registry under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
But have yet to find a way of viewing this information without having to load the system in VMware or a registry compiler.
Is there an easier way which doesn't involve digging around the windows registry?
Looking into this this directory I have listed does not appear to work for vista only XP ?.
Does anybody know hwere the install date is held within the new layout of the vista registry?
Is there an easier way which doesn't involve digging around the windows registry?
RegRipper
Anything like this isn't really any good. I'm working on an EnCase image and cannot log into the computer in VMware to use regedit.
I have access to the registry and its not a case I can't read it, I need to know where the key is held
But have yet to find a way of viewing this information without having to load the system in VMware or a registry compiler.
If I understand you correctly, you are looking for a way to navigate the registry hives from within EnCase?
If that is the case then simply right click the appropriate file (system, software, ntuser.dat etc) and select 'View File Structure'. The file will then appear as a folder in which you can navigate to the key that you want to examine.
Or, you could export the registry files to your examination machine and use Harlan's excellent 'RegRipper' which will give you a lot more information.
Stu
Anything like this isn't really any good. I'm working on an EnCase image and cannot log into the computer in VMware to use regedit.
I didn't say RegEdit, I said "RegRipper". And you don't need VMWare…simply copy/unerase the appropriate Registry hive file.
anyway, sorry to bother you.
Is there an easier way which doesn't involve digging around the windows registry?
No? It is either look in the Registry (at the value you stated) or run a systeminfo command on the image in a VM. There are also some other tools to use in a live environment, but that is neither here nor there.
I have access to the registry and its not a case I can't read it, I need to know where the key is held
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate? If you can look at the Registry and know the location what is the issue here? If you cannot look at the Registry, Harlan suggested an excellent tool that I am sure the creator worked very hard to create (and update) to parse the keys.
Sorry if I'm being a bit unclear. The "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate" is where the XP install date is found, I cannot get the vista one D
No, you're not being unclear at all.
I haven't been able to locate a reference, but I have hive files from two Vista systems, both of which show the InstallDate values at the location you specify.
And as I stated, RegRipper has a plugin that collects this information.
If you don't want to use the registry or to load the OS as a virtual machine you're making your life unnecessarily difficult.
Easiest way within a virtual machine would be to type 'systeminfo' at the command prompt, which gets you last install date together with lot of other useful info.
Otherwise the location of (an) install date in the Vista registry can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\