Knowing the name of a computer that you are examining can be important for many reasons.  In a situation where you may need to examine a computer that was removed from a network, it will help you verify that it is indeed the computer in question.  Having the Computer Name is also used to correlate information found in Event Logs.

Also, for Law Enforcement you may have a situation where there is a high rate of laptop thefts in a particular area.  Let us say a suspect is apprehended for a crime while in possession of a laptop in that area.  He/she may claim that the laptop is theirs.  Well, if they offer consent or you are granted a search warrant to examine the laptop, this could help build your case against the suspect.  Is this the be all, end all to determine guilt?  No, but you can use this information to possibly help challenge their alibi and poke holes in their story if the Computer Name is completely off.

First things first though.  Using your favorite Registry Viewer determine the CurrentControlSet for the Windows machine you are examining.  You can follow the instructions for doing that HERE.  Once you have done that, proceed to SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName.  You will see the following:

AccessData’s Registry Viewer:

MiTeC Registry Analyzer:


To find this information in a Non-Forensic fashion, go to Control Panel > System > Computer Name Tab

Thanks to some help from Harlan Carvey (see Comments below), I have added the other Registry Keys of note to obtain a Computer Name from a Windows system.

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters (Look for the value of Hostname):

SOFTWARE\Microsoft\SchedulingAgent (Look at the value of OldName):

Harlan Carvey

August 22, 2010


There’s also:

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters; value: Hostname

HKLM\SOFTWARE\Microsoft\SchedulingAgent; value: OldName

Joe G

August 22, 2010


Thanks Harlan! I have updated this post with your suggestions.


