I want to see what patch level Adobe Reader 10 is on a forensic image. Where in the windows 7 registry is this recorded?
I might be right, I might be wrong, so take it with a grain of salt.
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\application name
Applications use this location to set up the ininstall info for the Control Panel. Pointers will be found both to the functioning application and its uninstall program.
Microsoft also stores update info to the OS. When background updates are complete, the updates are stored here in reference to its knowledge base number. The subkeys identifying each update are stored by their number.
I am not sure if patches fall under this, but it would not hurt to look and see if it gets you what you are looking for.
DT
While I am still thinking about it, you might look here as well.
SOFTWARE\Microsoft\Windows\
CurrentVersion\ App Paths\<appname>
I want to see what patch level Adobe Reader 10 is on a forensic image. Where in the windows 7 registry is this recorded?
In a more of a "teach a man to fish" approach, where have you looked?
Have you extracted the binary (acrord32.exe) and read the details tab in the property page ?
You already know the answer to that question
I want to see what patch level Adobe Reader 10 is on a forensic image. Where in the windows 7 registry is this recorded?
In a more of a "teach a man to fish" approach, where have you looked?
I like to load up the image as a VM and just check it that way.
I find that more reassuring than checking the registry for some things because the data is being parsed in it's native application so theres less room for error.