I’ve been helping some teams troubleshoot real/false positive vulnerabilities reported by another system. I’d like to get the version of this file: C:\Windows\System32\ntoskrnl.exe
I can see it in File Explorer and cannot seem to get it to return via relevance (tried eval by client and debugger). Any ideas?
I suspect thats Wow64 redirection redirecting “system32” to “syswow64” folder. Try this instead
Q: (name of it, version of it) of files "ntoskrnl.exe" of native system folder
A: ntoskrnl.exe, 10.0.19041.6276
T: 5.719 ms
I: singular ( string, version )
Thanks this does get what I’m after… it is strange I’m not able to get the list of all “nt” files in the native system folder. Specifying exaclty that file does work.
Q: (name of it, version of it) of files of native system folders
A: 0ae3b998-9a38-4b72-a4c4-06849441518d_Servicing-Stack.dll, 10.0.20348.1
A: 69fe178f-26e7-43a9-aa7d-2b616b672dde_eventlogservice.dll, 10.0.20348.1
A: 6bea57fb-8dfb-4177-9ae8-42e8b3529933_RuntimeDeviceInstall.dll, 10.0.20348.2849
E: Singular expression refers to nonexistent object.
Q: (name of it, version of it) of files whose (name of it as lowercase starts with "nt") of native system folders
A: ntasn1.dll, 10.0.20348.1
A: ntdll.dll, 10.0.20348.3932
E: Singular expression refers to nonexistent object.
Q: (name of it, version of it) of files "ntoskrnl.exe" of native system folders
A: ntoskrnl.exe, 10.0.20348.3932
T: 1.863 ms
I: plural ( string, version )
Not all files will have a version so as it encounters one that doesn’t, that will throw the singular expression error. You should be able to overcome that by pluralizing,
(names of it, versions of it)