I received an interesting comment to one of my recent blog posts...the poster was musing that he wished he could determine the version of XP (Home or Pro), presumably during a post-mortem examination. As this struck my interest, I began to research this...and most of what I found applies to a live running system. For example, MS has a KB article that tells you how to determine the version of XP you've got. Also, the WMI class Win32_OperatingSystem has a value called "SuiteMask" which will let you determine the version of the operating system; to see if you're on the Home version of XP, perform a logical AND operation with the SuiteMask value and 0x0200 (the "Personal" bit) - if it succeeds, you're on XP Home. You can also use the Win32::GetOSVersion() function in Perl, or implement the WMI Win32_OperatingSystem class in Perl.
This information seems to be maintained in memory, and appears to be retrieved using the GetVersionEx() API function. Running a couple of tests to extract the information while running RegMon doesn't appear to reveal anything interesting as far as Registry keys that are accessed while attempting to determine the OS version.
During a post-mortem examination, you can go to the file "%WinDir%\system32\eula.txt" and locate the last line of the file that begins with "EULAID", and you'll see something similar to:
EULAID:XPSP2_RM.0_PRO_OEM_EN
If it says "HOM" instead of "PRO", you're dealing with the Home version of XP.
Also, you can try the file "%windir%\system32\prodspec.ini", and right below the line that says "[Product Specification]", you'll see an entry that will tell you which version of the OS you're working with (note: be sure to check the last modification date on these files, as well...).
Links
Determine the version of IE installed
Check the Version of Office XP
Determine the Windows version using C# (using VB)
32- or 64-bit version of Windows?
7 comments:
Harlan,
This is what I like to see. Real and relevant information that can be used.
I'm not a forensics guy but what I've read of your book (the free chapter, haven't bought it yet) and your blog has peaked my interest.
Thanks!!
Andy,
Thanks. I hope to put more real and relevant information up on this blog in the future, as well.
Hi Harlan
That's interesting. I opened my prodspec.ini file with notepad and it appeared empty, but the file properties indicated that it was 343 bytes. I opened it again and scrolled down. Sure enough, there was the information that you mentioned. I suspect that the padding is used to prevent "casual" users from editing the text. Open it and it looks like it's an empty file.
Another tip for my "little black book"!
Post-mortem wise, you also could look at %SystemDrive%\boot.ini. The file also will reveal whether you're dealing with a dual boot environment. The registry, of course, also provides the OS information, the location of which varies sligthly depending on OS. The one eulaid.txt file I checked described the initial XP Home OS installed, but didn't provide for the fact that it was updated to SP 2.
The registry keys at HKLM\software\microsoft\windows NT\current version\ (for XP systems) contain a heap of info about the OS, this includes service pack info. I don't have a windows registry handy at the moment, so I can't check but I am pretty certain there is a key that gives a simple human readable description of the OS.
Anonymous,
...contain a heap of info about the OS...
This is true, but none of it gives you any info about whether the system is running XP Home or XP Pro.
...none of it gives you any info...
I beg to differ, Harlan. The product code tells you what is installed. For example, 55274-OEM-1234567-12345 is XP Pro, but 55277-OEM-1234567-12345 is XP Home. In other words, the first five digits tell you what product is installed. There are lists available on the web (some of them mostly rubbish and all of them incomplete). The two examples I have given assume that the product is English. The best list that I know of is DJLizard's.
- James_A
Post a Comment