I am attempting to recover an old computer that won't boot and I'm not sure what version of Windows it is running. How do I tell simply by examining the file system?
I am fairly confident it is either Vista or Windows 7. There is a small chance it is Windows Server 2008.
Look at the file
C:\Windows\System32\License.rtf
Can be found for all these Windows operating systems
Vista, W7, W8, W8.1
These License rtf will have the Version of Windows and the Edition also, Windows 7 Pro for example.
Windows 10 has the rtf file but does not show edition, but if it has the arbitration clause note at the top you know it is W10, or use the explorer trick in Matthew Steeples answer.
To find the Windows 10 product type (Home Pro etc) type see Moif Murphy's answer further down this page
For Windows 10 one can use Wordpad.exe, notepad.exe on Windows OS for analyzing
C:\ProgramData\Microsoft\Diagnosis\osver.txt .
On Unix systems a console command like
cat <Windows system root partition>/ProgramData/Microsoft/Diagnosis/osver.txt
shows version number.
Example for OS build number: 10.0.18362 (without .116 - .267@2019-07-26)
Your best bet is going to be finding the properties of a Windows Executable (such as explorer.exe). In my case it's File and Product version is 6.1.7601.17567
6.0.xxxx.xxxxx will denote Windows Vista (with 6000, 6001 and 6002 being RTM, SP1 and SP2 respectively).
6.1.xxxx.xxxxx will denote Windows 7 (with 7600 and 7601 being RTM and SP1).
The same version numbers will apply for Windows server as well so I'm not sure how you'd tell the difference with those using this method.
If you don't have a running Windows and want to find the information from a Linux machine, you can use hivexget to read the registry file on the disk.
For Debian-based systems, install it with sudo apt install libhivex-bin.
Example (with grep to make the output shorter):
# hivexget /mnt/tmp/Windows/System32/config/software 'Microsoft\Windows NT\CurrentVersion' \
| egrep 'BuildLab|ProductName|Version"|"ProductId'
"BuildLab"="19041.vb_release.191206-1406"
"BuildLabEx"="19041.1.amd64fre.vb_release.191206-1406"
"CurrentVersion"="6.3"
"EditionSubVersion"=""
"ProductName"="Windows 10 Pro"
"ProductId"="00330-80000-00000-AA669"
"DisplayVersion"="21H1"
You may have to adapt the case of the path and file name. For example the registry file could be "SOFTWARE" instead of "software", etc.
Remove the | egrep ... part to see all values under that key.
Using the registry you can look up version and edition
I found this answer over at Stackoverflow to the question Determine Windows Version, Edition and Service Pack OF AN OFFLINE DISK IMAGE
Use the values under
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion. I presume you know where to find that hive?! The respective hive can be found under%SystemRoot%\System32\configwith the nameSOFTWARE.Side-note: you can attempt to verify your results by looking at some well-known files (e.g.
kernel32.dll,ntdll.dll) and into their version information resource (what you're looking for is the file version: with, e.g.GetFileVersionInfo()).Edition values, if that's needed, can be found at
HKLM\SYSTEM\CurrentControlSet\Control\ProductOptions.
More specifically, how to load the hive of another registry:
If you have Linux on the same system, you could boot into Linux, ensure the Windows partition is mounted (for instance here it's in /mnt/C) and then do strings /mnt/C/Windows/System32/ntoskrnl.exe 2>/dev/null | grep amd64. For me in printed 9600.18258.amd64fre.winblue_ltsb.160303-0600, and googling for winblue indicates that this was the code name for Windows 8.1.
If you boot into Windows installation media (say USB stick), and press [SHIFT] + [F10] to get the command prompt, you could query which drive letter corresponds to the original OS drive in question, and then get the version info of a program like ntoskrnl.exe. For example to explore the installed disks and related drive letters,
$ wmic diskdrive get model,name,serialnumber
$ wmic logicaldisk get description,deviceid,volumename
$ wmic datafile where name="<DRIVE LETTER>:\\Windows\\System32\\ntoskrnl.exe" get Version /value
Version 10.0.15063.413
Or using the method from @beyondtime, which is less typing but omits the decimal part of the build number
$ type "<DRIVE LETTER>:\ProgramData\Microsoft\Diagnosis\osver.txt"
10.0.15063
So here the OS installed on the indicated drive letter is Windows 10, Build 15063.413. A google search shows this to be Windows 10 version 1703 | Redstone 2 | Creators Update.
As a bonus, if you want to see the last time that OS was booted, you can do
$ dir /ah /tw <DRIVE LETTER>:\pagefile.sys
01/31/2017 03:04 PM ...... pagefile.sys
You can probably determine when the OS was originally installed by reviewing the creation time of the hidden files and folders at the root of the drive:
$ dir /ah /tc "<DRIVE LETTER>:\"
And to shutdown when you're finished:
$ wpeutil shutdown
If you can still run executables from that filesystem, you can run C:\Windows\System32\winver.exe
And after reading hivexsh man page...
In order to find correct filename, I do:
rfile=($mnt/[wW][iI][nN][dD][oO][wW][sS]/[sS][yY][sS][tT][eE][mM]32)
rfile=(${rfile[@]/%//[cC][oO][nN][fF][iI][gG]})
rfile=(${rfile[@]/%//[sS][oO][fF][tT][wW][aA][rR][eE]})
hivexsh "$rfile" < <(
echo 'cd Microsoft\Windows NT\CurrentVersion'
for key in ProductName CurrentVersion ProductId BuildLab ;do
echo lsval $key
done
)
Will output in order I asked for:
Windows 10 Pro
6.3
00330-80000-00000-AA497
22000.co_release.210604-1628
or
Microsoft Windows XP
5.1
55711-OEM-0011903-00117
2600.xpsp_sp3_qfe.130704-0421
Comprehensive information about Windows version is in the registry key HKLM\Software\Microsoft\Windows NT\CurrentVersion. You will need to load a corresponding hive from that system's registry:
reg load HKLM\Temp x:\Windows\System32\config\SOFTWARE
where Temp is arbitrary name to use and x:\Windows is the path to Windows root.
Then, if you have PowerShell at hand, you can get info as:
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
You might be interested in particular properties:
Get-ItemProperty 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion'
| select ProductName, EditionID, DisplayVersion, CurrentVersion, CurrentBuildNumber, UBR
Otherwise, just use reg:
reg query "HKLM\Temp\Microsoft\Windows NT\CurrentVersion" /v *
or for particular property:
reg query "HKLM\Temp\Microsoft\Windows NT\CurrentVersion" /v ProductName
Get Magical Jelly Bean Keyfinder. The portable free version works fine. Safest to get it from their website magicaljellybean.com or sofpedia etc.
Start it up. Under the tools menu, select >> load hive. It then shows all your drives, select the windows folder of the drive in question. It instantly provides the version and keys.
Open the file bootmgr in notepad it is located on the hard drive you are wanting to know the version of it will be a hidden file so select show hidden files in folder options sorted
