Find the current ve...
 
Notifications
Clear all

Find the current version of Windows

8 Posts
5 Users
0 Likes
2,067 Views
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

I have a case where there is multiple Windows.old folders, in total there is
Windows
Windows.0
Windows.old
Windows.old.000
Windows.old.001

Encase (6 & 7) is showing the information from the Windows.0 folder for the OS information, and the Windows.0 registry shows a later install date that the Windows folder which would make sense if it is the current OS.

Where is the current OS folder stored? I'm assuming it can't be in the registry as each folder has its own!

Also, it appears that the previous OS was Windows Vista, with the current OS being Windows XP, however the structure is still that of Windows XP (Documents and settings etc). I think this may have something to do with the symbolic link for documents and settings etc which would fool the 'new' version of XP into believing it is installiing into the documents and settings folder when in fact it is installing into the Users folder. Has anyone seen this before?

 
Posted : 01/05/2014 11:47 am
(@athulin)
Posts: 1156
Noble Member
 

Where is the current OS folder stored?

That's decided by the boot/startup process. Does the system boot by BIOS, EFI, or … ?

On XP, using BIOS, the volume boot record references NTLDR, which will read the BOOT.INI file to find the system root directory.

On later systems, BOOTMGR is referenced instead, and it uses a separate boot configuration database, usually (?) found as \Boot\BCD on the active volume (which for UEFI systems is the UEFI boot volume)

 
Posted : 01/05/2014 1:52 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

Are there registry files in each iteration of the Windows folders? That could be a source for the information.

 
Posted : 01/05/2014 5:24 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

Yes there are registry files for each version and the Windows.0 is showing as the last install date, making it the most likely candidate for current version. I was looking for something more definite, like the boot.ini.

Looked at the boot.ini and this has listed this as the folder to boot from as well, sop it appears the current version is in the windows.0 folder

 
Posted : 01/05/2014 5:59 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

On later systems, BOOTMGR is referenced instead, and it uses a separate boot configuration database, usually (?) found as \Boot\BCD on the active volume (which for UEFI systems is the UEFI boot volume)

Just for the record the "usually (?) found as \Boot\BCD on the active volume" is actually AFAIK "always found as \boot\BCD relative to the root of the volume where the invoked instance of BOOTMGR is located, i.e. the current active volume". (at least this is what happens in BIOS, but I doubt that EFI/UEFI behaves differently)

The path \boot\BCD is actually hardcoded in BOOTMGR.

jaclaz

 
Posted : 01/05/2014 11:11 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

Other thoughts

- You could virtually boot the image and see which folder it boots into. This means you can also see if the user accounts are also running from Users, as you suspect.
- You could check the file CAM times in the various Windows folders to see which ones have been touched recently (and maybe look inside setupapi.log in Windows.0?)
- The SID should be generated on each new install (should) - you could check the list of profiles in SOFTWARE/Microsoft/Windows NT/CurrentVersion/ProfileList and match them with the SIDs in Users.

Not as neat as finding an entry in boot.ini, but still..

 
Posted : 02/05/2014 1:36 pm
minime2k9
(@minime2k9)
Posts: 481
Honorable Member
Topic starter
 

I can't boot into the machine, we have liveview but it fails on this.

If we have both a boot.ini and a Boot folder, which takes priority?

 
Posted : 02/05/2014 5:32 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I can't boot into the machine, we have liveview but it fails on this.

If we have both a boot.ini and a Boot folder, which takes priority?

It depends on which OS loader is invoked.
XP's (and NT and 2k) OSloader is NTLDR.
NTLDR ONLY loads BOOT.INI.
In BOOT.INI you can specify two types of entries

  • an ArcPath (i.e. something like "multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Microsoft Windows XP Professional" /noexecute=optin /fastdetect")
  • a bootsector (or bootsector like file, like "C\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons"

Vista and later use BOOTMGR instead.
The main configuration file for BOOTMGR is the \boot\BCD BUT it also accesses the BOOT.INI, ignoring any entry with an ArcPath but adding the bootsector entries to the choices displayed on screen (coming form \boot\BCD settings).

jaclaz

 
Posted : 02/05/2014 7:42 pm
Share: