Display Current and Previous Windows Loaded Module Version Numbers - Windbg !for_each_module Command

jcgriff2

jcgriff2

Co-Founder / Admin
BSOD Instructor/Expert
Microsoft MVP (Ret.)
Staff member
Joined
Feb 19, 2012
Posts
21,541
Location
New Jersey Shore

Windows8LOGO_200x67.jpg

us_flag_40x24.png

MVPinsiderLogo.jpg


Info


Display Windows Current and Previous Loaded Module Version Numbers

By using a simple FOR EACH Windbg kd> command, you can quickly check the current and previous version numbers (if applicable) of Windows loaded modules. 3rd party drivers will have different version numbers (if any) than Windows modules. I have used this in the past to find cracked Windows systems.

One example that I recall - a Windows 7 system contained Windows 7, Vista and even a few XP modules, all identified by the module version number. Every Windows module is updated with the release of a new version of Windows, even if the module has actually changed or not.



The Windbg kd> Command -
Code: 
!for_each_module .echo @#ModuleName fver = @#FileVersion pver = @#ProductVersion

To figure out what Windows version the OP is running, scroll to the top of Windbg and about 10 lines down, you'll see an area similar to this -
Code: 
Windows 8.1 Kernel Version 9600 MP (4 procs) Free x64
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 9600.19304.amd64fre.winblue_ltsb_escrow.190305-1818
As you can clearly see, OP is running Windows 8.1; version 9600

Using the !for_each_module Windbg kd> command, we can see each loaded module and its version number - (the 6.3 is the NT internal version number) -
Code: 
3: kd> !for_each_module .echo @#ModuleName fver = @#FileVersion pver = @#ProductVersion

BOOTVID fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
cmimcext fver = 6.3.9600.18513 (winblue_ltsb.161009-0600) pver = 6.3.9600.18513
CI fver = 6.3.9600.19032 (winblue_ltsb_escrow.180510-1700) pver = 6.3.9600.19032
mcupdate fver = pver =
werkernel fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
CLFS fver = 6.3.9600.18997 pver =
tm fver = 6.3.9600.19225 (winblue_ltsb.181206-0600) pver = 6.3.9600.19225
PSHED fver = 6.3.9600.16404 (winblue_gdr.130913-2141) pver = 6.3.9600.16404
spaceport fver = 6.3.9600.18573 pver =
msrpc fver = 6.3.9600.19202 (winblue_ltsb.181110-0600) pver = 6.3.9600.19202
Wdf01000 fver = 1.13.9600.16384 (winblue_rtm.130821-1623) pver = 1.13.9600.16384
WDFLDR fver = 1.13.9600.16384 pver =
acpiex fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
WppRecorder fver = 6.3.9600.16384 pver =
cng fver = 6.3.9600.19032 (winblue_ltsb_escrow.180510-1700) pver = 6.3.9600.19032
msisadrv fver = 6.3.9600.18939 (winblue_ltsb.180210-0600) pver = 6.3.9600.18939
volmgr fver = 6.3.9600.18302 (winblue_ltsb.160409-0600) pver = 6.3.9600.18302
ACPI fver = 6.3.9600.18939 (winblue_ltsb.180210-0600) pver = 6.3.9600.18939
WMILIB fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
pci fver = 6.3.9600.18939 (winblue_ltsb.180210-0600) pver = 6.3.9600.18939
vdrvroot fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
pdc fver = 6.3.9600.18756 pver =
partmgr fver = 6.3.9600.17396 pver =
NETIO fver = 6.3.9600.18708 (winblue_ltsb.170527-0600) pver = 6.3.9600.18708
CLASSPNP fver = 6.3.9600.18334 pver =
volmgrx fver = 6.3.9600.18758 (winblue_ltsb.170707-0600) pver = 6.3.9600.18758
mountmgr fver = 6.3.9600.18692 (winblue_ltsb.170506-0600) pver = 6.3.9600.18692
storahci fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
storport fver = 6.3.9600.18833 pver =
WdFilter fver = 4.10.0209.0 pver = 4.10.0209.0
crashdmp fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
iaStorA fver = pver =
EhStorClass fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
fltmgr fver = 6.3.9600.18895 (winblue_ltsb.180101-1800) pver = 6.3.9600.18895
fileinfo fver = 6.3.9600.17031 (winblue_gdr.140221-1952) pver = 6.3.9600.17031
Wof fver = 6.3.9600.17050 (winblue_gdr.140312-1703) pver = 6.3.9600.17050
rdyboost fver = 6.3.9600.18895 pver =
disk fver = 6.3.9600.18756 pver =
Ntfs fver = 6.3.9600.19293 (winblue_ltsb.190209-0600) pver = 6.3.9600.19293
ksecdd fver = 6.3.9600.18454 (winblue_ltsb.160820-0600) pver = 6.3.9600.18454
pcw fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
Fs_Rec fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
ndis fver = 6.3.9600.19090 (winblue_ltsb.180630-0600) pver = 6.3.9600.19090
ksecpkg fver = 6.3.9600.19236 (winblue_ltsb_escrow.181227-1201) pver = 6.3.9600.19236
mup fver = 6.3.9600.18298 (winblue_ltsb.160406-0607) pver = 6.3.9600.18298
tcpip fver = 6.3.9600.19287 (winblue_ltsb.190131-0600) pver = 6.3.9600.19287
fwpkclnt fver = 6.3.9600.19051 (winblue_ltsb.180524-0600) pver = 6.3.9600.19051
wfplwfs fver = 6.3.9600.18895 pver =
fvevol fver = 6.3.9600.19033 pver =
volsnap fver = 6.3.9600.18265 (winblue_ltsb.160311-0600) pver = 6.3.9600.18265
intelpep fver = 6.3.9600.17396 (winblue_r4.141007-2030) pver = 6.3.9600.17396
BasicDisplay fver = 6.3.9600.16384 pver =
Npfs fver = 6.3.9600.19290 (winblue_ltsb.190206-0600) pver = 6.3.9600.19290
Msfs fver = 6.3.9600.19290 (winblue_ltsb.190206-0600) pver = 6.3.9600.19290
tdx fver = 6.3.9600.18783 (winblue_ltsb.170731-2050) pver = 6.3.9600.18783
TDI fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
netbt fver = 6.3.9600.18790 (winblue_ltsb.170810-1616) pver = 6.3.9600.18790
dump_iaStorA fver = pver =
luafv fver = 6.3.9600.18835 (winblue_ltsb.171010-0600) pver = 6.3.9600.18835
WudfPf fver = 6.3.9600.17415 pver =
cdrom fver = 6.3.9600.18878 pver =
Null fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
Beep fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
BasicRender fver = 6.3.9600.18859 pver =
dxgmms1 fver = 6.3.9600.19176 (winblue_ltsb.181006-0600) pver = 6.3.9600.19176
dxgkrnl fver = 6.3.9600.19176 (winblue_ltsb.181006-0600) pver = 6.3.9600.19176
watchdog fver = 6.3.9600.17031 pver =
ahcache fver = 6.3.9600.17734 (winblue_r9.150319-1700) pver = 6.3.9600.17734
CompositeBus fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
kdnic fver = 6.1.0.0 pver =
umbus fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
dump_dumpfve fver = 6.3.9600.18383 pver =
afd fver = 6.3.9600.18909 (winblue_ltsb.180110-0600) pver = 6.3.9600.18909
pacer fver = 6.3.9600.18895 (winblue_ltsb.180101-1800) pver = 6.3.9600.18895
netbios fver = 6.3.9600.18895 (winblue_ltsb.180101-1800) pver = 6.3.9600.18895
rdbss fver = 6.3.9600.18895 (winblue_ltsb.180101-1800) pver = 6.3.9600.18895
nsiproxy fver = 6.3.9600.18792 (winblue_ltsb.170813-0600) pver = 6.3.9600.18792
npsvctrig fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
mssmbios fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
dfsc fver = 6.3.9600.18895 (winblue_ltsb.180101-1800) pver = 6.3.9600.18895
monitor fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
ks fver = 6.3.9600.19130 pver =
nvvhci fver = pver =
NdisVirtualBus fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
iwdbus fver = pver =
LGBusEnum fver = pver =
LGJoyXlCore fver = pver =
ssdevfactory fver = pver =
rdpbus fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
nvlddmkm fver = pver =
HDAudBus fver = 6.3.9600.17238 (winblue_gdr.140723-2018) pver = 6.3.9600.17238
e1d63x64 fver = pver =
USBPORT fver = 6.3.9600.19024 (winblue_ltsb.180428-0600) pver = 6.3.9600.19024
portcls fver = 6.3.9600.17415 (winblue_r4.141028-1500) pver = 6.3.9600.17415
drmk fver = pver =
ucx01000 fver = 6.3.9600.19024 (winblue_ltsb.180428-0600) pver = 6.3.9600.19024
TeeDriverx64 fver = pver =
usbehci fver = 6.3.9600.18191 (winblue_ltsb.160108-0600) pver = 6.3.9600.18191
serial fver = 6.3.9600.18437 (winblue_ltsb.160811-0600) pver = 6.3.9600.18437
serenum fver = 6.3.9600.18437 (winblue_ltsb.160811-0600) pver = 6.3.9600.18437
sssmbus fver = pver =
wmiacpi fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
ksthunk fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
swenum fver = 6.3.9600.17415 pver =
igdkmd64 fver = pver =
USBXHCI fver = 6.3.9600.19024 (winblue_ltsb.180428-0600) pver = 6.3.9600.19024
intelppm fver = 6.3.9600.19067 (winblue_ltsb_escrow.180619-2033) pver = 6.3.9600.19067
nvvad64v fver = pver =
usbhub fver = 6.3.9600.18814 (winblue_ltsb.170901-0600) pver = 6.3.9600.18814
USBD fver = 6.3.9600.18088 pver =
nvhda64v fver = pver =
IntcDAud fver = pver =
UsbHub3 fver = 6.3.9600.18088 (winblue_ltsb.151010-0600) pver = 6.3.9600.18088
kbdhid fver = 6.3.9600.17480 (winblue_r5.141103-1547) pver = 6.3.9600.17480
kbdclass fver = 6.3.9600.17480 (winblue_r5.141103-1547) pver = 6.3.9600.17480
mouhid fver = 6.3.9600.17480 (winblue_r5.141103-1547) pver = 6.3.9600.17480
mouclass fver = 6.3.9600.17480 (winblue_r5.141103-1547) pver = 6.3.9600.17480
dump_storport fver = pver =
mshidkmdf fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
RTKVHD64 fver = pver =
usbccgp fver = 6.3.9600.18814 (winblue_ltsb.170901-0600) pver = 6.3.9600.18814
hidusb fver = 6.3.9600.18340 (winblue_ltsb.160513-1153) pver = 6.3.9600.18340
HIDCLASS fver = 6.3.9600.18340 (winblue_ltsb.160513-1153) pver = 6.3.9600.18340
HIDPARSE fver = 6.3.9600.19304 (winblue_ltsb_escrow.190305-1818) pver = 6.3.9600.19304
sshid fver = pver =
HTTP fver = 6.3.9600.18895 (winblue_ltsb.180101-1800) pver = 6.3.9600.18895
SbieDrv fver = pver =
lltdio fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
rspndr fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
bowser fver = 6.3.9600.19109 (winblue_ltsb.180718-0600) pver = 6.3.9600.19109
mpsdrv fver = 6.3.9600.19122 (winblue_ltsb.180809-0600) pver = 6.3.9600.19122
srvnet fver = 6.3.9600.19290 (winblue_ltsb.190206-0600) pver = 6.3.9600.19290
condrv fver = 6.3.9600.16384 (winblue_rtm.130821-1623) pver = 6.3.9600.16384
WdNisDrv fver = 4.10.0209.0 pver = 4.10.0209.0
LGVirHid fver = pver =
OpenHardwareMonitorLib fver = pver =
srv2 fver = 6.3.9600.19290 (winblue_ltsb.190206-0600) pver = 6.3.9600.19290
srv fver = 6.3.9600.19290 (winblue_ltsb.190206-0600) pver = 6.3.9600.19290
tunnel fver = 6.3.9600.18048 (winblue_ltsb.150904-0600) pver = 6.3.9600.18048
Ndu fver = 6.3.9600.17415 (winblue_r4.141028-1500) pver = 6.3.9600.17415
peauth fver = pver =
rzpmgrk fver = pver =
rzpnk fver = pver =
mrxsmb fver = 6.3.9600.19149 (winblue_ltsb.180901-0600) pver = 6.3.9600.19149
mrxsmb20 fver = 6.3.9600.18586 (winblue_ltsb.170201-0600) pver = 6.3.9600.18586
lgcoretemp fver = pver =
mrxsmb10 fver = 6.3.9600.19293 (winblue_ltsb.190209-0600) pver = 6.3.9600.19293
tcpipreg fver = 6.3.9600.17041 (winblue_gdr.140305-1710) pver = 6.3.9600.17041
kdcom fver = pver =
nt fver = 6.3.9600.19304 (winblue_ltsb_escrow.190305-1818) pver = 6.3.9600.19304
hal fver = 6.3.9600.18969 (winblue_ltsb.180309-0600) pver = 6.3.9600.18969
win32k fver = 6.3.9600.19304 (winblue_ltsb_escrow.190305-1818) pver = 6.3.9600.19304
TSDDD fver = 6.3.9600.16384 pver =
cdd fver = 6.3.9600.17415 pver =
ATMFD fver = pver =


The file version numbers and the associated Windows systems -
Windows NT 3.1 (1993)
Windows NT 3.5 (1994)
Windows NT 3.51 (1995)
Windows NT 4.0 (1996)
Windows NT 5.0 (1997-1999)
Windows NT 5.1 (Windows XP) (2001)
Windows NT 5.2 (Windows Server 2003, Windows XP x64) (2003)
Windows NT 6.0 (Windows Vista, Windows Server 2008) (2006)
Windows NT 6.1 (Windows 7, Windows Server 2008 R2) (2009)
Windows NT 6.2 Windows 8, Windows Server 2012) (2012)
Windows NT 6.3 (Windows 8.1, Windows Server 2012 R2) (2013)
Windows NT 10.0 (Windows 10, Windows Server 2016) (2015)






 
Last edited by a moderator:
You must log in or register to reply here.

Has Sysnative Forums helped you? Please consider donating to help us support the site!

Back
Top