How to identify the Windows version of a dead install from Linux by having access only to its filesystem?

My question doesn't have an answer there, because all of them are windows-specific and I want a linux solution.

I have a dead windows install in one of my partitions. It doesn't have any boot data any more. Practically, it is only a filesystem dump. But I have access to read any files on its filesystem.

How could I identify, which Windows version is it? In ideal case, I think there should be some configuration setting or any file which is unique to the different Windows versions. For example, on Debian-based Linux distros I could simply read /etc/debian_version.

How could I do the same on a Win?

Extension #1: Unfortunately, I have access only to a Linux box to reach its hard disk. So, solutions requiring a Windows (for example, digging in the version of ntoskrnl.exe, or checking some registry settings) aren't in my case feasible.

peterh - Reinstate Monica

Posted 2015-07-11T00:50:41.473

Reputation: 2 043

4Unfortunately, this question didn't contain the answer I require. The solution I've found was that the C:\Windows\System32\License.rtf contains the windows version. – peterh - Reinstate Monica – 2015-07-11T03:11:22.790

It is still a duplicate question. – Moab – 2015-07-11T12:16:42.717

1@Moab My question is Linux-specific, while the other has only windows-specific answers. – peterh - Reinstate Monica – 2015-07-11T14:00:32.187

3I wish this question was de-duplicated, indeed the other question requires a working Windows installation, while this one is about Linux. I found that this answers the question: strings ./Windows/System32/ntoskrnl.exe 2>/dev/null | grep amd64. For me in printed 9600.18258.amd64fre.winblue_ltsb.160303-0600, and googling for winblue indicates that this was the code name for Windows 8.1. – David Faure – 2016-06-26T15:39:49.223

@DavidFaure Well, offer your answer in the thread your question is duplicate of. It will be useful. – XavierStuvw – 2017-12-21T21:35:17.830

It isn't clear why this is receiving reopen votes. The solution that the OP states in the first comment here is the second-highest rated answer on the duplicate, and the duplicate is not Windows-specific. – fixer1234 – 2018-06-10T21:14:29.720

@fixer1234 Yes, the duplicate is Windows-specific, just as nearly all the answers of it, except the second most upvoted one. Which is essentially the same as the accepted answer of this question. But that answer were created a year after the here accepted answer - on this reason, that question could be closed as the dupe of this, and not vice versa. – peterh - Reinstate Monica – 2018-06-10T21:26:25.490

Too bad this is marked as duplicate. To get the info from Linux, it can be done with hivexget. I added the details to that other question : https://superuser.com/a/1383325/53547

– mivk – 2018-12-13T15:15:07.870

@mivk Thanks! It is a very useful answer. The closure of this question was a BAD decision, it is clearly visible for anybody... :-( – peterh - Reinstate Monica – 2018-12-13T15:24:28.130

Answers

Simple. Look at the version of <drive>:\Windows\System32\ntoskrnl.exe

In the case of XP, look for <drive>:\boot.ini

If it is Vista+ you can look for the <drive>:\Boot folder.

For Windows 7+ you can look in device manager for the hidden System Reserved partition.

If there is a file named license.rtf in your C:\Windows\System32 folder, it also contains your current Windows version.

td512

Posted 2015-07-11T00:50:41.473

Reputation: 4 778

Thank you very much! It is Win7+. The problem is that I don't have "System Reserved" partition any more. I have only the normal C:. How could I see the version of ntoskrnl.exe? – peterh - Reinstate Monica – 2015-07-11T01:35:59.903

I finally solved by license.rtf, but your other solutions were also useful. Thank you very much! – peterh - Reinstate Monica – 2015-07-11T01:42:46.197

@peterh for future reference, right-click, details. You will see info like (in my case: NT OS & Kernel. Version: 6.1.7601 – td512 – 2015-07-11T03:00:24.223

For ref: Microsoft Windows XP [Version 5.1.2600] (when starting cmd.exe) – Hannu – 2015-07-11T10:07:59.160

Err... ^- that is XP Pro "2002" SP 3 - 32bit, Microsoft Windows [Version 6.3.9600] is Windows 8.1 Pro (64 bit) – Hannu – 2015-07-11T10:42:08.213

Is there any way to tell a bit more detail, such as the difference between Home Edition and Professional Edition, or whether it is Windows 8 or Windows 8.1? – IQAndreas – 2015-11-10T00:55:42.047

@IQAndreas by using winver. Otherwise, it's almost impossible to tell – td512 – 2015-11-10T02:49:51.133

I didn't have luck with the above answers; what I ended up doing was looking at bootmgr on the boot partition. strings -e l bootmgr -n20 | grep -i win shows 10.0.17134.885 (WinBuild.160101.0800), and a quick google for the first bit shows this is a Win10 build #. Note that windows generally uses utf-16, so strings won't show much unless you tell it to look for little-endian 16-bit chars (-e l). – Mark – 2019-08-04T21:08:00.860

You could also stream

strings cmd.exe | find "Version" might work too. Most files have the version of windows in their property sheet, which is visible in the raw binary near the end of it. One of these is the windows version. It's in unicode though.

wendy.krieger

Posted 2015-07-11T00:50:41.473

Reputation: 660

find "Version" is a windows thing, I have linux and use grep. 2) It gave only a cryptic xml data, the only version info was some like "5.1.0.0" which can be anything between winxp and win7. But your answer may be useful for the googlers of the future, so here is a +1.

< – peterh - Reinstate Monica – 2015-07-11T04:44:45.867

You could load it in some sort of text editor or viewer, and look there,

grep -i "Version" will do the same thing as windows 'find'. – wendy.krieger – 2015-07-11T07:05:06.253

find /i "search-data" == grep -i "search-data". – Hannu – 2015-07-11T10:01:58.390