RSS Feed

🖥 System Information

Created: 12.10.2020


Installed programs and applications

Key 🔑: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore. The last write time is when the application was installed.

Key 🔑 Microsoft\Windows\CurrentVersion\Appx\AppxAllUserStore for installed Microsoft applications. Defines between those that were installed for a specific user or system-wide.

Key 🔑: Wiw6432Node (SYSTEM hive root node) - those that run a 32-bit mode. Separate sub-keys for different versions of a program.

Key 🔑: Classes\Installer\Products - installed using Miscrosoft installer (those with msi extension).

OS Information

Key 🔑: Microsift\Windows NT\CurrentVersion. Value InstallDate - Install date, Unix, numeric value (for 🛠 Decode).

Login info

Key 🔑: Microsoft\Windows\CurrentVersion\Authentication\LogonUI - last logged in user.

Key 🔑: Microsoft\Windows NT\CurrentVersion\Winlogon. Manages the boot process, logging operations, loading profiles.

Domain Accounts

Key 🔑 : Software\Microsoft\Windows NT\CurrentVersion\ProfileList.

The key above will have a ProfileImagePath.

SAM doesn’t have any informaiton about domain accounts. For this information refer to the key above. Even though in case of a domain user there is no relevant information in SAM hive, you can still view the machine/domain ID in SAM and use it to determine whether the files were created on the local machine. For example, in the Recycle Bin.

Computer name

Key 🔑: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerName and Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ActiveComputerName. Can be either manufacturer or user-defined.

Last shutdown time

Key 🔑: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Windows\LastShutdownTime

A 64-bit little-endian value, Windows FileTime. ⚠️ If the PC was shutdown due to some power source loss (plugged out), you won’t see this value being updated.

Crash dump setting

Key 🔑: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\CrashControl\DumpFile and --\\--\MinidumpDir.

Stores the location of *.DMP.


Key 🔑: ControlSet001\Control\FileSystem\NtfsDisableLastAccessUpdate.

Last access file time settings. If 1 - disabled (default), 0 - enabled. ⚠️ If it’s disabled (more likely), the access times are not reliable in this case. However, this doesn’t apply to MFT file records updates.

NTFS Last Accessed Update (Win10+) -

80000000 (hex) = User Managed, Last Access Updates Enabled
80000001 (hex) = User Managed, Last Access Updates Disabled
80000002 (hex) = System Managed, Last Access Updates Enabled - default for Windows 11 (in my case).
80000003 (hex) = System Managed, Last Access Updates Disabled

System time

Key 🔑: Computer\HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation\TimeZoneKeyName


TODO: same structure as for Windows

system_profiler, sw_vers, uname


In case osquery was perinstalled on the machine in question, we are in a better position. It’s a very powerful tool. It queries the system for various information and presents it as a table.

# config on macOS (installed via brew) is /var/osquery/osquery.example.config

## mac addresses
grep -iro '[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}:[0-9a-f]\{2\}'


Stored at /root/private/var/log/daily.out along with interfaces. Example of the file contents:

Sun Apr 12 13:27:17 EDT 2020

Removing old temporary files:
Cleaning out old system announcements:
Removing stale files from /var/rwho:

Disk status:

Filesystem     Size   Used  Avail Capacity iused      ifree %iused  Mounted on

/dev/disk1s5  100Gi  9.9Gi   83Gi    11%  481695 1044735185    0%   /
/dev/disk1s1  100Gi  6.3Gi   83Gi     8%   34701 1045182179    0%   /System/Volumes/Data
/dev/disk1s4  100Gi  1.0Mi   83Gi     1%       1 1045216879    0%   /private/var/vm

Network interface status:
Name       Mtu   Network       Address            Ipkts Ierrs    Opkts Oerrs  Coll
lo0   16384 <Link#1>                          1072     0     1072     0     0
lo0   16384 127           localhost           1072     -     1072     -     -
lo0   16384 localhost   ::1                   1072     -     1072     -     -
lo0   16384 fe80::1%lo0 fe80:1::1             1072     -     1072     -     -
gif0* 1280  <Link#2>                             0     0        0     0     0
stf0* 1280  <Link#3>                             0     0        0     0     0
en0   1500  <Link#4>    00:0c:29:c4:65:77   372733     0    73025     0     0
en0   1500  fe80::8c8:8 fe80:4::8c8:87c2:   372733     -    73025     -     -
en0   1500  184.171.151/2 stu-181-151-171   372733     -    73025     -     -
utun0 1380  <Link#5>                             0     0        2     0     0
utun0 1380  fe80::8375: fe80:5::8375:3ebe        0     -        2     -     -
utun1 2000  <Link#6>                             0     0        2     0     0
utun1 2000  fe80::feea: fe80:6::feea:9530        0     -        2     -     -

Local system status:
13:27  up 7 mins, 1 user, load averages: 7.76 3.82 1.64

-- End of daily output --


/var/lib/networkmanager, dhclient, and dhcp


On AWS there is a service that can be quieried for EC2 information. Official docs.This data should be quieried from within the instance.

⚠️ Turn off IMDS if you don’t need it for work.


# list all buckets using sso
aws s3 ls --profile dev

# Querying the EC2 IMDS for different instance information
curl -s "



# Battery stats
cat /data/data/com.google.android.gms/shared_prefs/Batterystats.xml

# BatterystatsDumpsysTask
cat /data/data/com.google.android.gms/files/BatterystatsDumpsysTask.gz


If this package is installed, run ideviceinfo. Will also show data for connected devices. With this utility you can also target specific device by its UUID. One of the use cases: connect an iOS device and query. Read full focs here. How to use ideviceinfo command here.

Power Log



/private/var/containers/Shared/SystemGroup/[APPGUID]/Library/BatteryLife/Archives/powerlog_ DATE_ID.PLSQL.gz

# KnowledgeC



kubectl describe node | grep -i image # get OS info
kubectl describe pod <podname> | grep -i node # get image info and master node info as well as lots of other information
kubectl describe pod <podname> # get the amount of containers within the pod

kubectl describe pod <podname> would also contain events section which can be though of as some sort of logs.