Read VMDK files

Windows

In Windows simply open the .VMDK files with 7-zip

Linux

➜ apt-get install guestmount libguestfs-tools
➜ virt-filesystems -a backupFile.vhdx 
/dev/sda2
➜ mkdir /mnt/share/disk
➜ sudo guestmount -a backupFile.vhdx -m /dev/sda2 --rw /mnt/share/disk

➜ sudo cp /mnt/share/disk/Windows/NTDS/ntds.dit .
➜ sudo cp /mnt/share/disk/Windows/System32/config/SYSTEM .

Restore Windows Registry

You find a script in the VMDK file where credentials are fetched from the registry, like below.

#user that will connect to storage
$backupUser = "backupServer01\backupUser"
$backupPass = (Get-ItemProperty HKLM:\Software\Scripts).backupUser

In order to retrieve the password we can restore the registry by...

Extract C:\Windows\System32\config\SOFTWARE from VMDK file to local Windows Machine
Open regedit, highlight HKEY_LOCAL_MACHINE, go to File in the top left corner and press Load Hive...
Write a new name for the Hive and browse to the registry entry to find the plaintext password.

Last updated 8 months ago