locked
ReAgent.XML Question -Windows 8 RRS feed

  • Question

  • I am currently researching forensic artifacts found in Windows 8. Looking at the Refresh data in the ReAgent.XML I am unsure what the value CustomImageLocation path, what does the offset=<numeric value> represent? Thought it was location on disk but unable to find the related offset as a Hex value. 
    Any idea what this value might be?
    Friday, May 4, 2012 6:46 PM

Answers

  • Hello Ken,

    Open an elevated cmd prompt and run reagentc /?

    Choose the info option to display the settings currently on the system

    if you choose the setreimage option you are choosing a customImagelocation ( not the default lcation)

    Not sure of the offset value is however.


    Thanks, Darrell Gorter [MSFT] This posting is provided "AS IS" with no warranties, and confers no rights. VAMT - Volume Activation Management Tool - Download link http://www.microsoft.com/downloads/details.aspx?FamilyID=ec7156d2-2864-49ee-bfcb-777b898ad582&displaylang=en

    Wednesday, May 9, 2012 9:18 PM