The MAC Daddy

I received a question in my inbox today regarding locating a system's MAC address within an image of a system, and I thought I'd share the response I provided...
"The path to the key that tells you which NICs are/were in use on the system is:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards

Beneath this key, you will see a set of subkeys, each with different numbers;
on my system, I see "10", "12", and "2". Each of these keys contains values;
Description and ServiceName. The ServiceName value contains the GUID
for the interface.

Using the GUIDs, go to:
HKLM\SYSTEM\ControlSet00x\Services\Tcpip\Parameters
\Interfaces

*Be sure to use the ControlSet marked as "Current".

Beneath this key, you'll see subkeys with names that are GUIDs. You're
interested in the GUIDs you found beneath the previous key. Within each key,
you will find the values associated with that interface.

By default, Windows does not retain the MAC address in the Registry. I'm
aware that there are sites out there that say that it does, but they are incorrect...
at least, with regards to this key. If you *do* find an entry within the "Interfaces"
key above that contains a value such as "NetworkAddress", it is either specific
to the NIC/vendor, or it's being used to spoof the MAC address (this is a known
method).

Also check the following key for subkeys that contain a "NetworkAddress" value:
HKLM\SYSTEM\ControlSet001\Control\Class
\{4D36E972-E325-11CE-BFC1-08002bE10318}

Other places you can look for the MAC address:

*Sometimes* (not in all cases) if you find the following key, you may find a value
named "MAC", as well:
HKLM\SOFTWARE\Microsoft\Windows Genuine Advantage

Another place to look is Windows shortcut (*.lnk) files...Windows File Analyzer
is a GUI tool that parses directories worth of *.lnk files and one of the fields that
may be populated is the MAC address of the system."

I thought others might find this helpful as well...