如何使用注册表文件获取操作系统 [英] How to get the operating system using registry file

问题描述

我想使用离线注册表（软件）文件提取操作系统信息。



能够读取文件，但有没有任何结构要移动到我可以获得该信息的位置。



任何人都可以这样帮助我????



我是一名法医调查员，我有一个系统的硬盘。

我使用该磁盘数据将该磁盘连接到我的系统，我需要获取该连接磁盘上的操作系统信息。



C：\ Windows \ System32 \ config \ software

这是文件路径..

I wanted to extract the operating system information using offline registry(Software) file.

Am able to read the file,but is there any structure to move to that location where exactly i can get that information.

Can any one help me regarding this way????

Am a forensic investigator where i got a system's hard-disk.
I connected that disk to my system using that disk data i need to get the information of operating system on that connected disk.

"C:\Windows\System32\config\software"
This is the file path..

推荐答案

为此，你最好简单地使用WinApi。



试试GetVersionEx。请参阅 此处



编辑：

这是从注册表中获取版本的方式：

You'd better use simply the WinApi for this purpose.

Try GetVersionEx. See here


This is how you get the version from the registry:

LPCTSTR version;
HKEY hKey;
if (::RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion"), 0, KEY_QUERY_VALUE, &hKey) == ERROR_SUCCESS)
{
	TCHAR szData[256];
	DWORD dwKeyDataType;
	DWORD dwDataBufSize = 256;
	if (::RegQueryValueEx(hKey, _T("CurrentVersion"), NULL, &dwKeyDataType, (BYTE*) &szData, &dwDataBufSize) == ERROR_SUCCESS)
	{
		if(dwKeyDataType == REG_SZ)
		{
			version = szData;
		}
	}
}

这是版本号的映射

Here's the mapping for the version numbers

Operating system        Version number
-----------------       --------------
Windows 8                   6.2
Windows Server 2012         6.2
Windows 7                   6.1
Windows Server 2008 R2      6.1
Windows Server 2008         6.0
Windows Vista               6.0
Windows Server 2003 R2      5.2
Windows Server 2003         5.2
Windows XP 64-Bit Edition   5.2
Windows XP                  5.1
Windows 2000                5.0

我希望这是有用的

I hope this was helpful

注册表配置单元的确切结构是Microsoft私有的。您应该使用注册表功能 [ ^ ]以获取您需要的信息。您可以从 HKEY_LOCAL_MACHINE \ SOFTWARE \ Microoft \ Windows NT \ CurrentVersion 键开始，其中包含有关Windows版本的信息。

The exact structure of the registry hives is Microsoft private. You should use the Registry functions[^] to get the information you require. You can start with the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion key which contains the information about the Windows version.

我会忘记手动阅读注册表。它可能是一个非常复杂的文件格式，没有记录。



如果磁盘已经死了，那么为什么你需要从中获取操作系统。备份数据文件而忘记操作系统。无论如何，计算机盒上可能有贴纸，或者您可能有恢复磁盘，或者还原分区或有人可能记住操作系统。



通过读取文件属性，从系统上众所周知的EXE或DLL文件获取信息可能要容易得多。

I would forget about reading the registry manually. It is probably a very complex file format which is not documented.

If the disk is dead, then why you need to get the OS from it. Backup data files and forget about the OS. Anyway, there might be a sticker on the computer box or you may have restore disks, or a restore partition or someone might remember the OS.

It might be much easier to get information from a well known EXE or DLL file on the system by reading file properties.

这篇关于如何使用注册表文件获取操作系统的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！