Announcement

Collapse
No announcement yet.

Enumerate partitions using CLI

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Enumerate partitions using CLI

    Howdy,

    Given that I have an image file (e.g. disk1.img) that contains several partitions, is there a way using the command-line to list the partitions present on the image. I see that the GUI does this, but I've been unable to do so using the command-line.

    Thanks,
    Mike

  • #2
    I don't know of any single line command that does this.
    It is probably possible via scripting.
    e.g. mount the .img file as a physical drive, then use the diskpart list partition command.


    Comment


    • #3
      +1 on this if the feedback goes into a feature request bucket. Being able to programmatically determine the number of partitions that are present on an offline disk would be useful for detecting only the partition(s) that need to be mounted. In my case, I'm trying to read a VMDK offline but the boot partition does not contain information that I need (I only need the NTFS partition, Forum in the screenshot).

      Click image for larger version

Name:	image.png
Views:	32
Size:	13.6 KB
ID:	54237

      Comment


      • #4
        Can you use the DOS / Powershell command, diskpart for this?

        Click image for larger version

Name:	Windows-Diskpart-List-Partition.webp
Views:	48
Size:	19.1 KB
ID:	54242

        Comment


        • #5
          Thanks! diskpart.exe would definitely work - I was actually planning on creating an array of drive letters with PowerShell before/after running "OSFMount.com -a -t file -f my.vmdk -v all" so I could keep track of what I need to clean up after I'm done reading the disks. I was hoping to not have to mount all volumes in the VMDK and instead mount only volume I need, but I don't know which one I need until they are mounted.
          Attached Files

          Comment


          • #6
            Below is the PowerShell solution I came up with; hopefully this helps anyone else that has a similar use case...


            Code:
            $VmdkPath = "D:\VMs\TEW145\TEW145_System.vmdk"
            # Notes:
            #   * OSFMount should already be installed on local Windows endpoint
            #   * only tested against OSFMount v3.1.1001 and VMDK virtual disks
            if (Test-Path $VmdkPath) {
                if (-not (Test-Path "$($VmdkPath).lck")) {
                    $mountToolUninstallString = "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E2AF9D8E-F778-4C3F-904B-F4F88873ADDE}_is1"
                    if (Test-Path $mountToolUninstallString) {
                        $mountToolInstallDirectory = Get-ItemPropertyValue -Path $mountToolUninstallString -Name InstallLocation
                        if ($mountToolInstallDirectory) {
                            $mountToolPath = Join-Path -Path $mountToolInstallDirectory -ChildPath "OSFMount.com"
                            if (Test-Path $mountToolPath) {
                                $OSFMountResults = & $mountToolPath -a -t file -f $VmdkPath -v all
                                # $OSFMountResults conditions (English OS+tool installation)
                                #   A. successfully mounted one or more disks: $OSFMountResults -eq MultiLineString
                                #   B. attempted to mount invalid/corrupt vmdk: $OSFMountResults -eq "Done."
                                #   C. attempted to mount random (non-vmdk) file: $OSFMountResults -eq "Done."
                                #   D. osfmount failed to launch/run: $OSFMountResults -eq $null
                                if ($OSFMountResults) {
                                    # successfully mounting a disk should return at least four lines
                                    # success pattern (English)
                                    #   Creating device...
                                    #   Created device 0: G: -> D:\VMs\TEW145\TEW145_System.vmdk
                                    #   Notifying applications...
                                    #   Done.
                                    if ($OSFMountResults.Count -ge 4) {
                                        $OsfMountedDisks = $OSFMountResults | ForEach-Object { if ($_ -match "(?<=\d: )(.*)(?= ->)") {$matches[1]} }
                                        if ($OsfMountedDisks.Count -ge 1) {
                                            $AllLogicalDisks = Get-CimInstance -Class Win32_LogicalDisk
                                            if ($AllLogicalDisks) {
                                                $OsfMountedLogicalDisks = $AllLogicalDisks | Where-Object {$_.DeviceId -in $OsfMountedDisks}
                                                # only interested in logical disks that are >4GB and formatted with NTFS or FAT32
                                                foreach ($curDisk in $OsfMountedLogicalDisks) {
                                                    if ($curDisk.Size -gt 4GB -and ($curDisk.FileSystem -eq "NTFS" -or $curDisk.FileSystem -eq "FAT32")) {
                                                        Write-Host "Do AllTheThings to $($curDisk.DeviceID) drive since it matches the desired criteria, then dismount the disk."
                                                        $DismountOsfLogicalDisk = & $mountToolPath -d -m $curDisk.DeviceID
                                                    }
                                                    else {
                                                        Write-Host "Dismounting $($curDisk.DeviceID) drive since it does not match the desired criteria."
                                                        $DismountOsfLogicalDisk = & $mountToolPath -d -m $curDisk.DeviceID
                                                    }
                                                }
                                            }
                                            else {
                                                # Win32_LogicalDisk returned no results (check for WMI health, antimalware tools, permissions, etc.)
                                            }
                                        }
                                        else {
                                            #no disks were mounted
                                        }
                                    }
                                    else {
                                        #attempted to load file that was corrupt or invalid
                                    }
                                }
                                else {
                                    #OSFMount.com was present but failed to execute successfully (check for antimalware tools, permissions, etc.)
                                }
                            }
                        }
                    }
                }
                else {
                    # VMDK is locked (VM is running) so unable to get read access to virtual disk and no need to proceed with mount/read attempts
                    Write-Host "Not mounting '$VmdkPath' because VM is running (disk file is locked)."
                }
            }
            else {
                # Path to VMDK provided is not valid
                Write-Host "'$VmdkPath' is not accessible."
            }

            Comment


            • #7
              Thanks for posting that. I am sure it will help one or two other people.

              Comment

              Working...
              X