Read VMDK files

Windows

In Windows simply open the .VMDK files with 7-zip or similar.

Linux

 apt-get install guestmount libguestfs-tools
 virt-filesystems -a backupFile.vhdx 
/dev/sda2
 mkdir /mnt/share/disk
 sudo guestmount -a backupFile.vhdx -m /dev/sda2 --rw /mnt/share/disk

 sudo cp /mnt/share/disk/Windows/NTDS/ntds.dit .
 sudo cp /mnt/share/disk/Windows/System32/config/SYSTEM .

Restore Windows Registry

If you find a script in the .VMDK file where credentials are fetched from the registry, like below.

#user that will connect to storage
$backupUser = "backupServer01\backupUser"
$backupPass = (Get-ItemProperty HKLM:\Software\Scripts).backupUser

You can retrieve the password by restoring the registry like so:

  1. Extract C:\Windows\System32\config\SOFTWARE from .VMDK file to local Windows Machine

  2. Open regedit, highlight HKEY_LOCAL_MACHINE, go to File in the top left corner and press Load Hive...

  3. Write a new name for the Hive and browse to the registry entry to find the plaintext password.

Last updated

Was this helpful?