-1

When I say available by default, I mean to include sysinterals, which is somewhat universally approved by system admins and doesn't serve as a barrier for my use-case.

I'm now aware of:

as options for making a copy of C:\WINDOWS\system32\config\, however, these methods do not, as far as I can see in the documentation, have a straight-forward option for copying a specific directory. For my use-case, I have strict requirements that I need to request only specific data necessary to my security investigation. I'm also strongly encouraged to propose a specific way for that data to be retrieved.

What I tried:

  • copy doesn't work (file in use)
  • robocopy doesn't work.
J.Todd
  • 101
  • 3
  • Take a snapshot using vssadmin. You should be able to copy all files from the snapshot, since the snapshot won't be in use. Be sure to drop the snapshot when you are done. – Zoredache Mar 29 '22 at 21:53

1 Answers1

3

Try this:

wbadmin start backup -include:C:\Windows\System32\config -backupTarget:E: -quiet

This will create a VHD that you can then mount/attach to access the backed up files.

joeqwerty
  • 109,901
  • 6
  • 81
  • 172
  • `PS C:\WINDOWS\system32> wbadmin start backup -include:C:\Windows\System32\config -backupTarget:E: -quiet wbadmin 1.0 - Backup command-line tool (C) Copyright Microsoft Corporation. All rights reserved. Retrieving volume information... A partial backup of volumes is not supported on this version of Windows.` It was a good idea. Just seems not to be universally applicable. Tested on Windows 11 Pro. – J.Todd Mar 26 '22 at 21:16