Hey guys
I recently read a very good post on here that said how to get the last assigned DHCP IP address of a machine from the registry files of its image.
I was wondering if there was a way to get a MAC address of a machine from an image also, anyone know of a registry key which holds this as a value? or another way to get it?
Cheers
Hey guys
I recently read a very good post on here that said how to get the last assigned DHCP IP address of a machine from the registry files of its image.
I was wondering if there was a way to get a MAC address of a machine from an image also, anyone know of a registry key which holds this as a value? or another way to get it?
Cheers
On my XP Pro machine, I found my MAC address by typing ipconfig /all at the command prompt.
Then run regedit, go to Edit/Search and look for your MAC address which will show you where it is stored in the registry.
On my machine it is stored at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows Genuine Advantage
I'm guessing that is the hardware address which was used to verify my copy of Windows; of course there may be other MAC addresses present, one for the Bluetooth adapter, one for the wireless connection, etc.
Registry setting for MAC address
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\
Under this key you will find a bunch of sub keys labeled as 0000, 00001, 0002 and so forth. Then search through them for the value “DriverDesc” until you find the one that matches the NIC you wish to find. Under these search for a string value called “NetworkAddress”.
The actual MAC address is a twelve digit hex number.
I just checked XP SP multiple machines…one has the "Windows Genuine Advantage" key, the others don't.
None of the systems showed the information that BitHead pointed out…on one system there were 17 subkeys, on others 24 or more…and not one had the "NetworkAddress" value, in either the CurrentControlSet, or within the ControlSet00x (marked "Current" in the Registry).
As the OP asked about getting the info from an image, the CurrentControlSet won't work anyway.
You may be able to get the MAC address from .lnk files within the image.
HTH,
H
Registry setting for MAC address
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\Under this key you will find a bunch of sub keys labeled as 0000, 00001, 0002 and so forth. Then search through them for the value “DriverDesc” until you find the one that matches the NIC you wish to find. Under these search for a string value called “NetworkAddress”.
The actual MAC address is a twelve digit hex number.
I find this not to be true. NetworkAddress entry is generally used to spoof a MAC address. It can be set by drivers, utilities or by hand. NIC's hardware MAC address is not stored there.
Did a little research on this, and while it is true that this entry can be used to spoof the MAC address, I have a couple of machines here with nForce NICs that have this entry. Not sure if this is a "feature" of the NIC or some associated software.
I also did some registry searching and found the MAC address in HKLM\SOFTWARE\Microsoft\Windows Genuine Advantage.
As the last resort, and if you are using EnCase, you can create a grep pattern with the format of a MAC address and take a look at the results you get.