söndag 29 mars 2015

Identifying an unknown Windows hard disk - reading Windows file versions in Linux

What do you do when you have an unkown Windows hard disk or partition, that you don't want to boot or that is unbootable? How do you identify the Windows version installed on the hard disk or partition?

In Linux, we are used to mount the hard disk and then look at /etc/issue, /etc/redhat-release or something similar. You can even see the kernel version in the file names of the installed kernel images in /boot.

But for a Windows OS? Well, you could look at the version of ntoskrnl.exe, for instance.

Here are the version numbers for different versions of Windows [1]:

4.x: NT 4.x
5.0: Windows 2000
5.1: Windows XP
5.2: Windows 2003 Server (and R2), Windows XP 64-bit
6.0: Windows Vista, Server 2008
6.1: Windows 7, Server 2008 R2
6.2: Windows 8, Server 2012
6.3: Windows 8.1, Server 2012 R2

10.0: Windows 10, Server 10

 So just mount the hard disk/partition and then look for C:\Windows\System32\ntoskrnl.exe.

But how do you read the version number of a Portable Executable (PE) file in Linux? You could extract it with hexdump -C and search for the version number (in hex!), but that is quite awkward. There are supposedly some PE tools for linux, but I couldn't find any in Fedora repositories.

A simple way is to use Wine and a Windows tool to check the header of the PE file, for instance Sysinternal's SigCheck tool [2].

wine sigcheck -q -n ntoskrnl.exe
6.2.9200.16424 (win8_gdr.120926-1855) 

In this case, the Windows version is Windows 8 (or possibly Server 2012 R2). 

Telling the difference between Server and Workstation is harder. I don't know how to do that without Windows running (when you could programmatically check for OSVERSIONINFOEX.wProductType != VER_NT_WORKSTATION for a server OS, at least for Server 2008 and later).


Update. I have since discovered another tool, ExifTool [3] that is able to read PE headers and display version number. On Redhat/Fedora this is available as perl-Image-ExifTool. 
exiftool ntoskrnl.exe |grep 'File Version  '
File Version             : 6.1.7601.23677 (win7sp1_ldr.170209-0600)

[1] https://msdn.microsoft.com/en-us/library/ms724832%28VS.85%29.aspx
[2] https://technet.microsoft.com/en-us/sysinternals/bb897441.aspx

[3] http://www.sno.phy.queensu.ca/~phil/exiftool/