Correctly detect Windows 11 builds (#714)

fox-it · Jun 27, 2024 · 4a69ca0 · 4a69ca0
1 parent c23a1eb
commit 4a69ca0
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 3 deletions.
diff --git a/dissect/target/plugins/os/windows/_os.py b/dissect/target/plugins/os/windows/_os.py
@@ -247,13 +247,21 @@ def _part_str(parts: dict[str, Any], name: str) -> str:
         if any(map(lambda value: value is not None, version_parts.values())):
             version = []
 
+            nt_version = _part_str(version_parts, "CurrentVersion")
+            build_version = _part_str(version_parts, "CurrentBuildNumber")
             prodcut_name = _part_str(version_parts, "ProductName")
-            version.append(prodcut_name)
 
-            nt_version = _part_str(version_parts, "CurrentVersion")
+            # CurrentBuildNumber >= 22000 on NT 10.0 indicates Windows 11.
+            # https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information
+            try:
+                if nt_version == "10.0" and int(build_version) >= 22_000:
+                    prodcut_name = prodcut_name.replace("Windows 10", "Windows 11")
+            except ValueError:
+                pass
+
+            version.append(prodcut_name)
             version.append(f"(NT {nt_version})")
 
-            build_version = _part_str(version_parts, "CurrentBuildNumber")
             ubr = version_parts["UBR"]
             if ubr:
                 build_version = f"{build_version}.{ubr}"

diff --git a/tests/plugins/os/windows/test__os.py b/tests/plugins/os/windows/test__os.py
@@ -202,6 +202,26 @@ def test_windowsplugin__nt_version(
             ],
             "<Unknown ProductName> (NT <Unknown CurrentVersion>) <Unknown CurrentBuildNumber> 5678",
         ),
+        (
+            [
+                ("ProductName", "Windows 10 Pro"),
+                ("CurrentMajorVersionNumber", 10),
+                ("CurrentMinorVersionNumber", 0),
+                ("CurrentBuildNumber", 19_045),
+                ("UBR", 1234),
+            ],
+            "Windows 10 Pro (NT 10.0) 19045.1234",
+        ),
+        (
+            [
+                ("ProductName", "Windows 10 Enterprise"),
+                ("CurrentMajorVersionNumber", 10),
+                ("CurrentMinorVersionNumber", 0),
+                ("CurrentBuildNumber", 22_000),
+                ("UBR", 1234),
+            ],
+            "Windows 11 Enterprise (NT 10.0) 22000.1234",
+        ),
     ],
 )
 def test_windowsplugin_version(