diff --git a/dissect/target/plugins/os/windows/_os.py b/dissect/target/plugins/os/windows/_os.py index 8c6cd90e7..5d5b55fdf 100644 --- a/dissect/target/plugins/os/windows/_os.py +++ b/dissect/target/plugins/os/windows/_os.py @@ -247,13 +247,21 @@ def _part_str(parts: dict[str, Any], name: str) -> str: if any(map(lambda value: value is not None, version_parts.values())): version = [] + nt_version = _part_str(version_parts, "CurrentVersion") + build_version = _part_str(version_parts, "CurrentBuildNumber") prodcut_name = _part_str(version_parts, "ProductName") - version.append(prodcut_name) - nt_version = _part_str(version_parts, "CurrentVersion") + # CurrentBuildNumber >= 22000 on NT 10.0 indicates Windows 11. + # https://learn.microsoft.com/en-us/windows/release-health/windows11-release-information + try: + if nt_version == "10.0" and int(build_version) >= 22_000: + prodcut_name = prodcut_name.replace("Windows 10", "Windows 11") + except ValueError: + pass + + version.append(prodcut_name) version.append(f"(NT {nt_version})") - build_version = _part_str(version_parts, "CurrentBuildNumber") ubr = version_parts["UBR"] if ubr: build_version = f"{build_version}.{ubr}" diff --git a/tests/plugins/os/windows/test__os.py b/tests/plugins/os/windows/test__os.py index 683b4c17b..8cc9b6422 100644 --- a/tests/plugins/os/windows/test__os.py +++ b/tests/plugins/os/windows/test__os.py @@ -202,6 +202,26 @@ def test_windowsplugin__nt_version( ], " (NT ) 5678", ), + ( + [ + ("ProductName", "Windows 10 Pro"), + ("CurrentMajorVersionNumber", 10), + ("CurrentMinorVersionNumber", 0), + ("CurrentBuildNumber", 19_045), + ("UBR", 1234), + ], + "Windows 10 Pro (NT 10.0) 19045.1234", + ), + ( + [ + ("ProductName", "Windows 10 Enterprise"), + ("CurrentMajorVersionNumber", 10), + ("CurrentMinorVersionNumber", 0), + ("CurrentBuildNumber", 22_000), + ("UBR", 1234), + ], + "Windows 11 Enterprise (NT 10.0) 22000.1234", + ), ], ) def test_windowsplugin_version(