6

I need to find out what Windows and Service Pack system is currently running. All I have is ftp access, it means I cannot run any the software.

Is there a way to determine what version of Windows, Service Pack, and what Language is installed on a system?

schroeder
  • 123,438
  • 55
  • 284
  • 319
Dranik
  • 233
  • 1
  • 3
  • 8
  • pull the entire registry SAM? – Richie Frame Jan 15 '16 at 04:19
  • It's protected. Windows doesn't let to copy it. – Dranik Jan 15 '16 at 04:25
  • There are programs that will use the packets from the network of the machine to fingerprint the OS. It will not be as details as you want, but it's something. – schroeder Jan 15 '16 at 04:43
  • What kind of access do you have to the filesystem? Can you search the whole c:\system directory? – schroeder Jan 15 '16 at 04:43
  • "nmap -O" will give you some details. – N. Greene Jan 15 '16 at 14:46
  • I have ftp access to the system, read only. Nmap can guess, but I want to find a way to determine all this information without doing a scan, just by looking at the file system.
    – Dranik Jan 15 '16 at 16:41
  • I found WindowsUpdate.log in c:\Windows and it has WUA version (such as 7.6.7601.18804 for win 7), but not sure if that can be used with 100% certainty and how to map it to SP installed and OS Language. – Dranik Jan 15 '16 at 16:48
  • Only FTP access is available but you're able to view the contents of WindowsUpdate.log. Sounds to me like there are plenty of misconfigurations for you to get the information you need. FWIW, WindowsUpdate.log should be considered reliable. – user2320464 Jan 20 '16 at 17:23
  • Are you able to import an individual hive? If so this is the method I used recently: Import the software hive from the registry of the drive in question using regedit. It's located in %SYSTEMROOT%\system32\config. It doesn't matter where you import it to (let's suppose HKEY_LOCAL_MACHINE) or the name you pick. Regedit is normally in C:\Windows (can be launched from the command prompt). Then check the version in the key (HKEY_LOCAL_MACHINE//Microsoft/Windows NT/CurrentVersion) under the hive you imported. https://blog.skullsecurity.org/2010/find-the-windows-version-offline – Dale Newton Aug 15 '19 at 22:38

2 Answers2

13

Based on https://superuser.com/questions/363018/how-do-i-tell-what-version-and-edition-of-windows-is-on-the-filesystem you can find the Windows Version and Service pack in C:\Windows\System32\license.rtf for Windows 7. For Windows XP the information is in C:\Windows\System32\eula.txt. For Windows 10 licenses.rtf does not contain the version. Instead it contains the EULA code, which you can use to find the version online.

I tested this on XP SP3, 7, 7 SP1, and 10 and found that this works for each OS.

The current language pack is a little more tricky. You can find what appears to be the currently available languages in C:\Windows\System32. The folders are in the format of xx-XX (xx = language, XX = country). For example en-US is English-United States, es-MX is Spanish-Mexico.

The packs that have been used are copied to C:\Windows.

To test this I switched my Windows 7 SP1 and Windows 10 Pro machines over to es-MX and, once I rebooted the computer, found that the es-MX folder was created in C:\Windows. Unfortunately the en-US was still there making the current language ambiguous. However you should be able to use the combination of active packs and the names of Documents, Photos, Music ect. to get the current language.

I was unable to test this in XP as I could not risk bricking my last running example of XP.

Community
  • 1
AstroDan
  • 2,226
  • 13
  • 24
-1

If you have complete and total ftp access to the system, and can browse to even something like C:\Windows\System32, you could see if you can find a file called:

C:\Windows\System32\version.dll

If you can, and can GET that file, you can grab it and cat it out. (Or use cmd command type on Windows, or open it with a text editor). There should be some human readable strings in there, such as:

System@ProductVersion5.2.3790.1830D

That version string should help you out, you can ask Google to find an exact match, the general rule for OS family versions can be found here:

http://www.geoffchappell.com/studies/windows/km/ntoskrnl/history/index.htm

In this case, that string refers to version: Microsoft Windows Server 2003, 5.2.3790.1830 (srv03_sp1_rtm.050324-1447)

Google found that information at this site: https://thecollectionbook.info/windows/server-2003/629

Shane Wegner
  • 1