# Read VMDK files

## Windows

In Windows simply open the `.VMDK` files with 7-zip or similar.

## Linux

```bash
➜ apt-get install guestmount libguestfs-tools
➜ virt-filesystems -a backupFile.vhdx 
/dev/sda2
➜ mkdir /mnt/share/disk
➜ sudo guestmount -a backupFile.vhdx -m /dev/sda2 --rw /mnt/share/disk

➜ sudo cp /mnt/share/disk/Windows/NTDS/ntds.dit .
➜ sudo cp /mnt/share/disk/Windows/System32/config/SYSTEM .
```

### Restore Windows Registry

If you find a script in the `.VMDK` file where credentials are fetched from the registry, like below.

```powershell
#user that will connect to storage
$backupUser = "backupServer01\backupUser"
$backupPass = (Get-ItemProperty HKLM:\Software\Scripts).backupUser
```

You can retrieve the password by restoring the registry like so:

1. Extract `C:\Windows\System32\config\SOFTWARE` from `.VMDK` file to local Windows Machine
2. Open `regedit`, highlight `HKEY_LOCAL_MACHINE`, go to `File` in the top left corner and press `Load Hive...`
3. Write a new name for the Hive and browse to the registry entry to find the plaintext password.