Skip to content

Commit abcc266

Browse files
AndrewRathbunAndrewRathbun
authored
Merge pull request #87 from reece394/master
Add ProductOptions - ProductType and ProductSuite
2 parents 068efe0 + e563709 commit abcc266

File tree

2 files changed

+51
-1
lines changed

2 files changed

+51
-1
lines changed

BatchExamples/DFIRBatch.md

+1
Original file line numberDiff line numberDiff line change
@@ -56,6 +56,7 @@ Example entry, please follow this format:
5656
| 2.07 | 2024-11-26 | Added new artifacts from the DEFAULT registry hive |
5757
| 2.08 | 2024-12-07 | Added WinSCP DEFAULT artifact back and added Advanced IP Scanner and Advanced Port Scanner Artifacts |
5858
| 2.09 | 2024-12-19 | Added Angry IP Scanner Artifacts |
59+
| 2.10 | 2025-01-18 | Added System ProductType and ProductSuite Artifacts |
5960

6061
# Documentation
6162

BatchExamples/DFIRBatch.reb

+50-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,6 @@
11
Description: DFIR RECmd Batch File
22
Author: Andrew Rathbun
3-
Version: 2.09
3+
Version: 2.10
44
Id: 2e1589f5-e31a-4bef-822f-075d56afdddd
55
Keys:
66
#
@@ -517,6 +517,55 @@ Keys:
517517
ValueName: BuildLab
518518
Recursive: false
519519
Comment: "Current OS build information"
520+
-
521+
Description: System Info (Current)
522+
HiveType: SYSTEM
523+
Category: System Info
524+
KeyPath: CurrentControlSet\Control\ProductOptions
525+
ValueName: ProductType
526+
Recursive: false
527+
Comment: "Indicates Type of System - WinNT = Workstation, LanmanNT = Domain Controller (DC - Primary or Backup), ServerNT = Server"
528+
529+
# https://community.tenable.com/s/article/Finding-the-Correct-Audit-File-for-Windows-Member-Servers-and-Domain-Controllers?language=en_US
530+
# https://support.microsoft.com/?kbid=152078
531+
# https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/152078
532+
533+
-
534+
Description: System Info (Current)
535+
HiveType: SYSTEM
536+
Category: System Info
537+
KeyPath: ControlSet00*\Control\ProductOptions
538+
ValueName: ProductType
539+
Recursive: false
540+
Comment: "Indicates Type of System - WinNT = Workstation, LanmanNT = Domain Controller (DC - Primary or Backup), ServerNT = Server"
541+
542+
# https://community.tenable.com/s/article/Finding-the-Correct-Audit-File-for-Windows-Member-Servers-and-Domain-Controllers?language=en_US
543+
# https://support.microsoft.com/?kbid=152078
544+
# https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/152078
545+
546+
-
547+
Description: System Info (Current)
548+
HiveType: SYSTEM
549+
Category: System Info
550+
KeyPath: CurrentControlSet\Control\ProductOptions
551+
ValueName: ProductSuite
552+
Recursive: false
553+
Comment: "Indicates Product Licence on System"
554+
555+
# https://support.microsoft.com/?kbid=152078
556+
# https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/152078
557+
558+
-
559+
Description: System Info (Current)
560+
HiveType: SYSTEM
561+
Category: System Info
562+
KeyPath: ControlSet00*\Control\ProductOptions
563+
ValueName: ProductSuite
564+
Recursive: false
565+
Comment: "Indicates Product Licence on System"
566+
567+
# https://support.microsoft.com/?kbid=152078
568+
# https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/152078
520569

521570
# System Info -> System Info (Historical)
522571

0 commit comments

Comments
 (0)