Merge pull request #87 from reece394/master

Add ProductOptions - ProductType and ProductSuite
EricZimmerman · Jan 18, 2025 · abcc266 · abcc266
2 parents 068efe0 + e563709
commit abcc266
Show file tree

Hide file tree

Showing 2 changed files with 51 additions and 1 deletion.
diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md
@@ -56,6 +56,7 @@ Example entry, please follow this format:
 | 2.07 | 2024-11-26 | Added new artifacts from the DEFAULT registry hive  |
 | 2.08 | 2024-12-07 | Added WinSCP DEFAULT artifact back and added Advanced IP Scanner and Advanced Port Scanner Artifacts |
 | 2.09 | 2024-12-19 | Added Angry IP Scanner Artifacts |
+| 2.10 | 2025-01-18 | Added System ProductType and ProductSuite Artifacts |
 
 # Documentation
 

diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb
@@ -1,6 +1,6 @@
 Description: DFIR RECmd Batch File
 Author: Andrew Rathbun
-Version: 2.09
+Version: 2.10
 Id: 2e1589f5-e31a-4bef-822f-075d56afdddd
 Keys:
 #
@@ -517,6 +517,55 @@ Keys:
         ValueName: BuildLab
         Recursive: false
         Comment: "Current OS build information"
+    -
+        Description: System Info (Current)
+        HiveType: SYSTEM
+        Category: System Info
+        KeyPath: CurrentControlSet\Control\ProductOptions
+        ValueName: ProductType
+        Recursive: false
+        Comment: "Indicates Type of System - WinNT = Workstation, LanmanNT = Domain Controller (DC - Primary or Backup), ServerNT = Server"
+
+# https://community.tenable.com/s/article/Finding-the-Correct-Audit-File-for-Windows-Member-Servers-and-Domain-Controllers?language=en_US
+# https://support.microsoft.com/?kbid=152078
+# https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/152078
+
+    -
+        Description: System Info (Current)
+        HiveType: SYSTEM
+        Category: System Info
+        KeyPath: ControlSet00*\Control\ProductOptions
+        ValueName: ProductType
+        Recursive: false
+        Comment: "Indicates Type of System - WinNT = Workstation, LanmanNT = Domain Controller (DC - Primary or Backup), ServerNT = Server"
+
+# https://community.tenable.com/s/article/Finding-the-Correct-Audit-File-for-Windows-Member-Servers-and-Domain-Controllers?language=en_US
+# https://support.microsoft.com/?kbid=152078
+# https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/152078
+
+    -
+        Description: System Info (Current)
+        HiveType: SYSTEM
+        Category: System Info
+        KeyPath: CurrentControlSet\Control\ProductOptions
+        ValueName: ProductSuite
+        Recursive: false
+        Comment: "Indicates Product Licence on System"
+
+# https://support.microsoft.com/?kbid=152078
+# https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/152078
+
+    -
+        Description: System Info (Current)
+        HiveType: SYSTEM
+        Category: System Info
+        KeyPath: ControlSet00*\Control\ProductOptions
+        ValueName: ProductSuite
+        Recursive: false
+        Comment: "Indicates Product Licence on System"
+
+# https://support.microsoft.com/?kbid=152078
+# https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/152078
 
 # System Info -> System Info (Historical)