I am trying to customize a Clonezilla Live iso to be able to conveniently take snapshots of different Windows installations (XP, Vista, Win7, Win8). Ideally I would like to boot the machine on a CD that automatically identifies the Windows version and creates a snapshot with a name containing the OS (something like Windows_XP_2013-06-17).
Is there a way to programatically identify what version of Windows is installed on an NTFS partition mounted in a Linux live environment?
You can use strings command to access registry files, I tested in my machine and it worked:
strings /media/cuonglm/Windows/Windows/System32/config/SOFTWARE | grep -e '^6.1.*' | head -n 1
Ouput:
6.1.7601.17608
It denotes my version is Windows 7 SP1.
I think it is the faster way than using some tools to manipulate properties of PE files, or registry files.
You can access Windows registry using tools like chntpw. You need the following keys, located in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion:
ProductName
Version
VersionNumber
SubVersionNumber
You can create a script that will automate chntpw and parse registry keys to identify Windows version.
There are several non-windows and non-command solutions which you can use with your problem. Here are few ideas what I though:
Boot.ini
Try reading boot.ini from Windows boot-partion (i.e. C:\boot.ini) text-file. This (usually) has a default boot information if it has not been manually changed. You can read the text file and do RegEx to find out version.
For example, my boot.ini has "Microsoft Windows XP Professional" part which can be easily parsed with any Regular Expression.
Check file system structure
You may get some clue about the general version of the Windows by looking for directory structure it uses: Windows XP - family uses C:\Documents and Settings kind of directory structure (language dependent) as other later versions use different kind of directories.
This one is not a good solution, but it is one solution.
cmd.exe
For this one I'm not completely sure, but I think I remember that Windows' command prompt binary file (cmd.exe) has a version stored into it. By reading binary file and it's resources, could help determing correct version.
Still, of all these solutions, I would suggest you to try reading boot.ini. It is user customizable but very rarely changed by a regular users.
Looking to ntoskrl.exe version info gives both numeric and textual results
me@host:/mnt$ iconv -cf utf16 Windows/System32/ntoskrnl.exe|strings|grep 6\\.
6.1.7601.18409 (win7sp1_gdr.140303-2144)
6.1.7601.18409
Using Linux, here Ubuntu, you can use chntpw.
I did this:
sudo apt install chntpw
chntpw -e /path/to/windisk/Windows/System32/config/SOFTWARE
cat \Microsoft\Windows NT\CurrentVersion\ProductName
and was told that the version was Windows 10 Home. Note that the capitalization in the path may differ across versions, so look if it doesn't work. One plae also mentioned a RegBack folder occurring int he path (sorry, I forgot where).
Additional details may be found through other keys. To list other keys in CurrentVersion, while in chntpw, do
ls \Microsoft\Windows NT\CurrentVersion
Get Magical Jelly Bean Keyfinder. The portable free version works fine.
Start it up, and under the tools menu select >> load hive. It then shows all your drives, select the windows folder of the drive in question.
