Windows 11 detected as Windows 10

[exploide]

Recently I ran PrivescCheck on the Windows 11 client of a customer but Invoke-SystemInfoCheck and Get-WindowsVersion detected the OS as Windows 10. I thought this might be because the system has been upgraded from 10 to 11 and maybe something wasn't clean afterwards.

But now I installed a fresh Windows 11 Pro myself (no upgrade) and the issue is reproducible:

> Invoke-SystemInfoCheck

Name           Version
----           -------
Windows 10 Pro 10.0.22621 Version 2009 (22621.1194)

> Get-WindowsVersion

Major         : 10
Minor         : 0
Build         : 22621
Revision      : 0
MajorRevision : 0
MinorRevision : 0

Which is no surprise, given that Microsoft apparently messed it up in the registry. See ProductName Value below. (Again, this is a fresh install from today!)

> Get-ItemProperty -Path "Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -ErrorAction SilentlyContinue

SystemRoot                : C:\Windows
BaseBuildRevisionNumber   : 1
BuildBranch               : ni_release
BuildGUID                 : ffffffff-ffff-ffff-ffff-ffffffffffff
BuildLab                  : 22621.ni_release.220506-1250
BuildLabEx                : 22621.1.amd64fre.ni_release.220506-1250
CompositionEditionID      : Enterprise
CurrentBuild              : 22621
CurrentBuildNumber        : 22621
CurrentMajorVersionNumber : 10
CurrentMinorVersionNumber : 0
CurrentType               : Multiprocessor Free
CurrentVersion            : 6.3
DisplayVersion            : 22H2
EditionID                 : Professional
EditionSubManufacturer    :
EditionSubstring          :
EditionSubVersion         :
InstallationType          : Client
InstallDate               : 1674909738
ProductName               : Windows 10 Pro
ReleaseId                 : 2009
SoftwareType              : System
UBR                       : 1194
PathName                  : C:\Windows
PendingInstall            : 0
ProductId                 : 00330-80183-90218-AA479
DigitalProductId          : {164, 0, 0, 0...}
DigitalProductId4         : {248, 4, 0, 0...}
RegisteredOwner           : user
RegisteredOrganization    :
InstallTime               : 133193833380897739
PSPath                    : Microsoft.PowerShell.Core\Registry::HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
PSParentPath              : Microsoft.PowerShell.Core\Registry::HKLM\SOFTWARE\Microsoft\Windows NT
PSChildName               : CurrentVersion
PSProvider                : Microsoft.PowerShell.Core\Registry

The only commands I found that show the correct OS are Get-WMIObject and systeminfo (the latter in German):

> (Get-WMIObject win32_operatingsystem).name.split('|')[0]
Microsoft Windows 11 Pro

> systeminfo

Hostname:                                      WIN11
Betriebssystemname:                            Microsoft Windows 11 Pro
Betriebssystemversion:                         10.0.22621 Nicht zutreffend Build 22621
[...]

[itm4n]

Yes, I'm well aware of this issue. Even the Win32 API does not return the correct information.

However, the official answer from Microsoft seems to be that Windows 10 and 11 can be told apart thanks to the build version. If the build version is greater than 22000, it is Windows 11.

I'll make the appropriate adjustments and keep you posted.

BTW, thank you for being such an active member. Your issue reports are well appreciated. 🙂

[itm4n]

Fixed with commit e1567e62d4dbc0ad388edcf49daf9532d7158e6c.

I added a test case for the build number.

On Windows 10:

PS C:\Temp> Invoke-SystemInfoCheck

Name           Version
----           -------
Windows 10 Pro 10.0.19045 Version 2009 (19045.2486)

On Windows 11:

PS C:\Temp> Invoke-SystemInfoCheck

Name           Version
----           -------
Windows 11 Pro 10.0.22621 Version 2009 (22621.1105)

[exploide]

Nice. Tested it, works. Thank you!