15

I have a dead Windows install in one of my partitions. It doesn't have any boot data anymore. Practically, it is only a filesystem dump. But I have access to read any files on its filesystem.

How could I identify which Windows version is it? In the ideal case, I think there should be some configuration setting or any file unique to the different Windows versions. For example, on Debian-based Linux distros, I could simply read /etc/debian_version.

Unfortunately, I have access only to a Linux box to reach its hard disk. So, solutions requiring a Windows (for example, digging in the version of ntoskrnl.exe, or checking some registry settings) aren't in my case, feasible.

peterh
  • 2,553
  • 10
  • 31
  • 49
  • 5
    Unfortunately, this question didn't contain the answer I require. The solution I've found was that the `C:\Windows\System32\License.rtf` contains the windows version. – peterh Jul 11 '15 at 03:11
  • It is still a duplicate question. – Moab Jul 11 '15 at 12:16
  • 1
    @Moab My question is Linux-specific, while the other has only windows-specific answers. – peterh Jul 11 '15 at 14:00
  • 3
    I wish this question was de-duplicated, indeed the other question requires a working Windows installation, while this one is about Linux. I found that this answers the question: `strings ./Windows/System32/ntoskrnl.exe 2>/dev/null | grep amd64`. For me in printed `9600.18258.amd64fre.winblue_ltsb.160303-0600`, and googling for winblue indicates that this was the code name for Windows 8.1. – David Faure Jun 26 '16 at 15:39
  • @DavidFaure Well, offer your answer in the thread your question is duplicate of. It will be useful. – XavierStuvw Dec 21 '17 at 21:35
  • 1
    It isn't clear why this is receiving reopen votes. The solution that the OP states in the first comment here is the second-highest rated answer on the duplicate, and the duplicate is not Windows-specific. – fixer1234 Jun 10 '18 at 21:14
  • 1
    @fixer1234 Yes, the duplicate is Windows-specific, just as nearly all the answers of it, except the second most upvoted one. Which is essentially the same as the accepted answer of this question. But that answer were created a year after the here accepted answer - on this reason, that question could be closed as the dupe of this, and not vice versa. – peterh Jun 10 '18 at 21:26
  • 3
    Too bad this is marked as duplicate. To get the info from Linux, it can be done with `hivexget`. I added the details to that other question : https://superuser.com/a/1383325/53547 – mivk Dec 13 '18 at 15:15
  • @mivk Thanks! It is a very useful answer. The closure of this question was a **BAD** decision, it is clearly visible for anybody... :-( – peterh Dec 13 '18 at 15:24
  • 2
    Yeah, it's a shame it was closed. Else I'd add this answer working for Ubuntu using chntpw: https://stackoverflow.com/a/71725634/1654116 – Rasmus Apr 03 '22 at 11:56

2 Answers2

8

Simple. Look at the version of <drive>:\Windows\System32\ntoskrnl.exe

In the case of XP, look for <drive>:\boot.ini

If it is Vista+ you can look for the <drive>:\Boot folder.

For Windows 7+ you can look in device manager for the hidden System Reserved partition.

If there is a file named license.rtf in your C:\Windows\System32 folder, it also contains your current Windows version.

peterh
  • 2,553
  • 10
  • 31
  • 49
td512
  • 5,031
  • 2
  • 18
  • 41
  • 1
    Thank you very much! It is Win7+. The problem is that I don't have "System Reserved" partition any more. I have only the normal C:. How could I see the version of ntoskrnl.exe? – peterh Jul 11 '15 at 01:35
  • I finally solved by license.rtf, but your other solutions were also useful. Thank you very much! – peterh Jul 11 '15 at 01:42
  • @peterh for future reference, right-click, details. You will see info like (in my case: `NT OS & Kernel. Version: 6.1.7601` – td512 Jul 11 '15 at 03:00
  • For ref: `Microsoft Windows XP [Version 5.1.2600]` (when starting cmd.exe) – Hannu Jul 11 '15 at 10:07
  • Err... ^- that is XP Pro "2002" SP 3 - 32bit, `Microsoft Windows [Version 6.3.9600]` is Windows 8.1 Pro (64 bit) – Hannu Jul 11 '15 at 10:42
  • Is there any way to tell a bit more detail, such as the difference between _Home Edition_ and _Professional Edition_, or whether it is _Windows 8_ or _Windows 8.1_? – IQAndreas Nov 10 '15 at 00:55
  • @IQAndreas by using winver. Otherwise, it's almost impossible to tell – td512 Nov 10 '15 at 02:49
  • I didn't have luck with the above answers; what I ended up doing was looking at `bootmgr` on the boot partition. `strings -e l bootmgr -n20 | grep -i win` shows `10.0.17134.885 (WinBuild.160101.0800)`, and a quick google for the first bit shows this is a Win10 build #. Note that windows generally uses utf-16, so `strings` won't show much unless you tell it to look for little-endian 16-bit chars (`-e l`). – Mark Aug 04 '19 at 21:08
0

You could also stream

strings cmd.exe | find "Version" might work too. Most files have the version of windows in their property sheet, which is visible in the raw binary near the end of it. One of these is the windows version. It's in unicode though.

wendy.krieger
  • 718
  • 4
  • 13
  • 3
    1) `find "Version"` is a windows thing, I have linux and use grep. 2) It gave only a cryptic xml data, the only version info was some like "5.1.0.0" which can be anything between winxp and win7. But your answer may be useful for the googlers of the future, so here is a +1. – peterh Jul 11 '15 at 04:44
  • You could load it in some sort of text editor or viewer, and look there, `grep -i "Version"` will do the same thing as windows 'find'. – wendy.krieger Jul 11 '15 at 07:05
  • 1
    `find /i "search-data"` == `grep -i "search-data"`. – Hannu Jul 11 '15 at 10:01
  • Cmd has no built-in version numbers that I could find. `strings ntoskrnl.exe | grep 5.1` did the trick instead (of course every Windows version has its own [major.minor build](https://docs.microsoft.com/en-us/windows/win32/sysinfo/operating-system-version) to search for) – mirh Oct 15 '20 at 11:58