28
6
I am attempting to recover an old computer that won't boot and I'm not sure what version of Windows it is running. How do I tell simply by examining the file system?
I am fairly confident it is either Vista or Windows 7. There is a small chance it is Windows Server 2008.
Chloraphil
Posted 2011-11-30T14:45:26.340
Reputation: 600
14
Your best bet is going to be finding the properties of a Windows Executable (such as explorer.exe). In my case it's File and Product version is 6.1.7601.17567
6.0.xxxx.xxxxx will denote Windows Vista (with 6000, 6001 and 6002 being RTM, SP1 and SP2 respectively).
6.1.xxxx.xxxxx will denote Windows 7 (with 7600 and 7601 being RTM and SP1).
The same version numbers will apply for Windows server as well so I'm not sure how you'd tell the difference with those using this method.
Matthew Steeples
Posted 2011-11-30T14:45:26.340
Reputation: 2 130
26
Look at the file
C:\Windows\System32\License.rtf
Can be found for all these Windows operating systems
Vista, W7, W8, W8.1
These License rtf will have the Version of Windows and the Edition also, Windows 7 Pro for example.
Windows 10 has the rtf file but does not show edition, but if it has the arbitration clause note at the top you know it is W10, or use the explorer trick in Matthew Steeples answer.
To find the Windows 10 product type (Home Pro etc) type see Moif Murphy's answer further down this page
Moab
Posted 2011-11-30T14:45:26.340
Reputation: 54 203
5This is especially nice for Linux users. – code_onkel – 2016-07-20T13:03:29.443
In Linux, you'll probably have to mount your Windows partition. You can use the blkid command, and look for TYPE="ntfs". In my case, its /dev/sda2. Then: sudo mount -t ntfs /dev/sda2 <your mount point>. You can look at the rtf file with libreoffice. – AAAfarmclub – 2018-10-04T00:30:06.323
On my dual boot system (Bunsen Helium and WINDOWS 7 HOME PREMIUM), it was lower case: license.rtf – AAAfarmclub – 2018-10-04T00:35:35.997
Same here on a windows 7 ultimate. Very important note because Linux is case-sensitive and often sorts that way as well. – Arlen Beiler – 2018-11-19T04:57:10.507
1On Windows 10 you can check the folder: C:\Windows\System32\Licenses. It should contain something like c:\Windows\System32\Licenses\neutral\_Default\Professional\license.rtf for Pro edition. For Windows 10 Enterprise it seem to have both Enterprise and Professional folders. I'm guessing Home editions will have Home folder. – Nux – 2019-07-27T23:05:52.117
@Nux, as of version 1909, the only folder in home edition in the neutral folder are _Default, OEM, and Volume. Nothing in there is of any use. – Moab – 2019-12-24T17:32:38.077
9
Using the registry you can look up version and edition
I found this answer over at Stackoverflow to the question Determine Windows Version, Edition and Service Pack OF AN OFFLINE DISK IMAGE
Use the values under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion. I presume you know where to find that hive?! The respective hive can be found under%SystemRoot%\System32\configwith the nameSOFTWARE.Side-note: you can attempt to verify your results by looking at some well-known files (e.g.
kernel32.dll,ntdll.dll) and into their version information resource (what you're looking for is the file version: with, e.g.GetFileVersionInfo()).Edition values, if that's needed, can be found at
HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions.
More specifically, how to load the hive of another registry:
Moif Murphy
Posted 2011-11-30T14:45:26.340
Reputation: 1 192
+1 very kewl. i knew how to find the windows version....but the edition location is awesome! you rock! – ThaKidd KG5ORD – 2017-07-21T20:19:51.320
Yes, loading hives is possible with regedit from any Windows. The system seems unaffected by this if you are careful (choose a temporary name when loading and then unload the hive). See more: http://www.zeda.nl/index.php/en/load-user-registry-hive-in-regedit
– Nux – 2019-07-27T23:08:57.1301-1 OP mentioned it won't boot making viewing the registry quite tricky... – HaydnWVN – 2011-11-30T16:54:31.633
6You can load a different hive into regedit, I'm fairly sure. If not, I bet there's a tool that can do it. – Rob – 2011-11-30T16:56:26.187
+1, as that's what I use all the time. I load up Magic Jellybean Keyfinder, and point to the Windows folder to read the registry. Tells me what version and edition – Canadian Luke – 2011-11-30T17:15:23.620
6
If you have Linux on the same system, you could boot into Linux, ensure the Windows partition is mounted (for instance here it's in /mnt/C) and then do strings /mnt/C/Windows/System32/ntoskrnl.exe 2>/dev/null | grep amd64. For me in printed 9600.18258.amd64fre.winblue_ltsb.160303-0600, and googling for winblue indicates that this was the code name for Windows 8.1.
David Faure
Posted 2011-11-30T14:45:26.340
Reputation: 161
+1 This the best way I've found to get the Windows 10 version. The string has the build number at the start - in my case 14393 (14393.351.amd64fre.rs1_release_inmarket.161014-1755). Looking at the Windows 10 release info, that corresponds to version 1607.
4
If you can still run executables from that filesystem, you can run C:\Windows\System32\winver.exe
Mijndert Stuij
Posted 2011-11-30T14:45:26.340
Reputation: 331
4Wouldn't that just give you the version that you run winver.exe on? – Rob – 2011-11-30T16:56:11.803
I ran it and it gave me the correct version of Windows (home premium, starter, etc.), which build, which service pack, and whom the version of windows was licensed to. – Yzmir Ramirez – 2012-07-01T15:00:14.537
3
If you don't have a running Windows and want to find the information from a Linux machine, you can use hivexget to read the registry file on the disk.
For Debian-based systems, install it with sudo apt install libhivex-bin.
Example (with grep to make the output shorter):
# hivexget /mnt/tmp/WINDOWS/system32/config/software 'Microsoft\Windows NT\CurrentVersion' \
| egrep 'ProductName|CSDVersion|"ProductId'
"ProductName"="Microsoft Windows XP"
"CSDVersion"="Service Pack 3"
"ProductId"="76487-OEM-0011903-00101"
Remove the | egrep ... part to see all values under that key.
mivk
Posted 2011-11-30T14:45:26.340
Reputation: 2 270
1
If you boot into Windows installation media (say USB stick), and press [SHIFT] + [F10] to get the command prompt, you could query which drive letter corresponds to the original OS drive in question, and then get the version info of a program like ntoskrnl.exe. For example to explore the installed disks and related drive letters,
$ wmic diskdrive get model,name,serialnumber
$ wmic logicaldisk get description,deviceid,volumename
$ wmic datafile where name="<DRIVE LETTER>:\\Windows\\System32\\ntoskrnl.exe" get Version /value
Version 10.0.15063.413
Or using the method from @beyondtime, which is less typing but omits the decimal part of the build number
$ type "<DRIVE LETTER>:\ProgramData\Microsoft\Diagnosis\osver.txt"
10.0.15063
So here the OS installed on the indicated drive letter is Windows 10, Build 15063.413. A google search shows this to be Windows 10 version 1703 | Redstone 2 | Creators Update.
As a bonus, if you want to see the last time that OS was booted, you can do
$ dir /ah /tw <DRIVE LETTER>:\pagefile.sys
01/31/2017 03:04 PM ...... pagefile.sys
You can probably determine when the OS was originally installed by reviewing the creation time of the hidden files and folders at the root of the drive:
$ dir /ah /tc "<DRIVE LETTER>:\"
And to shutdown when you're finished:
$ wpeutil shutdown
Ryan Feeley
Posted 2011-11-30T14:45:26.340
Reputation: 31
1
Open the file bootmgr in notepad it is located on the hard drive you are wanting to know the version of it will be a hidden file so select show hidden files in folder options sorted
Dex
Posted 2011-11-30T14:45:26.340
Reputation: 11
This is a 300 KB+ binary file and I did not find anything about windows version in this. – Jerther – 2017-08-10T14:50:19.347
0
Get Magical Jelly Bean Keyfinder. The portable free version works fine. Safest to get it from their website magicaljellybean.com or sofpedia etc.
Start it up. Under the tools menu, select >> load hive. It then shows all your drives, select the windows folder of the drive in question. It instantly provides the version and keys.
fred64
Posted 2011-11-30T14:45:26.340
Reputation: 19
Magical Jelly Bean Keyfinder is known to report the incorrect license key. It also is nagware, that only works correctly, if you purchase it. It also isn't required to determine which instalation of Windows is on a filesystem, much easier ways, then using that nagware like Magical Jelly Bean Keyfinder which did I mention doesn't even work? – Ramhound – 2016-10-31T20:52:39.927
1I've used it for years, never any nags or ads. You must have got a hijacked version. The issue here is not about keys, but getting the exact version of Windows, which keyfinder reports accurately.. It requires 0 expertise, 0 hunting for ini files or hive entries and gives you a complete answer in seconds effortlessly without trying to figure out product code or match version data.. If you had a better/easier solution why not describe it. – fred64 – 2016-10-31T21:25:09.400
Nope; Got it straight from the publisher whom signed the executable – Ramhound – 2016-10-31T22:07:41.233
0
For Windows 10 one can use Wordpad.exe, notepad.exe on Windows OS for analyzing
C:\\ProgramData\Microsoft\Diagnosis\osver.txt .
On Unix systems a console command like
cat <Windows system root partition>/ProgramData/Microsoft/Diagnosis/osver.txt
shows version number.
Example for OS build number: 10.0.18362 (without .116 - .267@2019-07-26)
beyondtime
Posted 2011-11-30T14:45:26.340
Reputation: 21
Are you using another Windows computer to perform the recovery? http://www.skullsecurity.org/blog/2010/find-the-windows-version-offline
– William Jackson – 2011-11-30T15:11:30.717Related: http://stackoverflow.com/questions/5709967
– iglvzx – 2011-11-30T17:22:22.837