-
Mar 19th, 2024, 04:45 PM
#1
[VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DATA
The simplest version APIs all lie unless you have a manifest. If you want to be sure you get the real version no matter what, there's various more complicated techniques. The one I had been using involved reading the version info from kernel32.dll. This way is easier, and involves a neat technique. The KUSER_SHARED_DATA type is always resident in memory. You can declare it, then copy it, with no APIs besides CopyMemory.
The version info can be extracted directly. To use this, you need no declares besides CopyMemory:
Code:
Dim dwMajor As Long, dwMinor As Long, dwBuild As Long
CopyMemory dwMajor, ByVal &H7FFE026C, 4
CopyMemory dwMinor, ByVal &H7FFE0270, 4
CopyMemory dwBuild, ByVal &H7FFE0260, 4
Debug.Print dwMajor & "." & dwMinor & "." & dwBuild
That's based on the offsets of the members of the full type.
If you're interested in the full type, the following is the expanded form: It also returns a ton of other info.
Code:
Public Type LARGE_INTEGER
#If (TWINBASIC = 1) Or (Win64 = 1) Then
QuadPart As LongLong
#Else
lowpart As Long
highpart As Long
#End If
End Type
Public Type KSYSTEM_TIME
LowPart As Long '0x0
High1Time As Long '0x4
High2Time As Long '0x8
End Type
Public Enum NT_PRODUCT_TYPE
NtProductWinNt = 1
NtProductLanManNt = 2
NtProductServer = 3
End Enum
Public Enum ALTERNATIVE_ARCHITECTURE_TYPE
StandardDesign = 0
NEC98x86 = 1
EndAlternatives = 2
End Enum
Public Enum VER_SUITE_VALUES
VER_SERVER_NT = &H80000000
VER_WORKSTATION_NT = &H40000000
VER_SUITE_SMALLBUSINESS = &H00000001
VER_SUITE_ENTERPRISE = &H00000002
VER_SUITE_BACKOFFICE = &H00000004
VER_SUITE_COMMUNICATIONS = &H00000008
VER_SUITE_TERMINAL = &H00000010
VER_SUITE_SMALLBUSINESS_RESTRICTED = &H00000020
VER_SUITE_EMBEDDEDNT = &H00000040
VER_SUITE_DATACENTER = &H00000080
VER_SUITE_SINGLEUSERTS = &H00000100
VER_SUITE_PERSONAL = &H00000200
VER_SUITE_BLADE = &H00000400
VER_SUITE_EMBEDDED_RESTRICTED = &H00000800
VER_SUITE_SECURITY_APPLIANCE = &H00001000
VER_SUITE_STORAGE_SERVER = &H00002000
VER_SUITE_COMPUTE_SERVER = &H00004000
VER_SUITE_WH_SERVER = &H00008000&
VER_SUITE_MULTIUSERTS = &H00020000
End Enum
Public Type KUSER_SHARED_DATA
TickCountLowDeprecated As Long '0x0
TickCountMultiplier As Long '0x4
InterruptTime As KSYSTEM_TIME '0x8
SystemTime As KSYSTEM_TIME '0x14
TimeZoneBias As KSYSTEM_TIME '0x20
ImageNumberLow As Integer '0x2c
ImageNumberHigh As Integer '0x2e
NtSystemRoot(0 To 259) As Integer '0x30
MaxStackTraceDepth As Long '0x238
CryptoExponent As Long '0x23c
TimeZoneId As Long '0x240
LargePageMinimum As Long '0x244
' Reserved2(0 To 6) As Long '0x248
AitSamplingValue As Long '0x24C
AppCompatFlag As Long '0x250
#If (TWINBASIC = 1) Or (Win64 = 1) Then
RNGSeedVersion As LongLong
#Else
RNGSeedVersion As Currency
#End If
GlobalValidationRunlevel As Long
TimeZoneBiasStamp As Long
NtBuildNumber As Long
NtProductType As NT_PRODUCT_TYPE '0x264
ProductTypeIsValid As Byte '0x268
Reserved0 As Byte
NativeProcessorArchitecture As Integer
NtMajorVersion As Long '0x26c
NtMinorVersion As Long '0x270
ProcessorFeatures(0 To 63) As Byte '0x274
Reserved1 As Long '0x2b4
Reserved3 As Long '0x2b8
TimeSlip As Long '0x2bc
AlternativeArchitecture As ALTERNATIVE_ARCHITECTURE_TYPE '0x2c0
BootId As Long 'Windows 10+ only
SystemExpirationDate As LARGE_INTEGER '0x2c8
SuiteMask As VER_SUITE_VALUES '0x2d0
KdDebuggerEnabled As Byte '0x2d4
MitigationPolicies As Byte '0x2d5
CyclesPerYield As Integer 'Only on Win10 1903 and higher
ActiveConsoleId As Long '0x2d8
DismountCount As Long '0x2dc
ComPlusPackage As Long '0x2e0
LastSystemRITEventTickCount As Long '0x2e4
NumberOfPhysicalPages As Long '0x2e8
SafeBootMode As Byte '0x2ec
VirtualizationFlags As Byte
Reserved12(1) As Byte
SharedDataFlags As Long '0x2f0 NOTE: TraceLogging on 2k/XP
DataFlagsPad(0) As Long
#If (TWINBASIC = 1) Or (Win64 = 1) Then
TestRetInstruction As LongLong '0x2f8
#Else
TestRetInstruction As Currency
#End If
SystemCall As Long '0x300
SystemCallReturn As Long '0x304
#If (TWINBASIC = 1) Or (Win64 = 1) Then
SystemCallPad(0 To 2) As LongLong '0x308
TickCountQuad As LongLong '0x320
#Else
SystemCallPad(0 To 2) As Currency
TickCountQuad As Currency
#End If
'union
'{
' volatile struct _KSYSTEM_TIME TickCount; //0x320
'TickCount As KSYSTEM_TIME
ReservedTickCountOverlay(1) As Long 'Since not using _KSYSTEM_TIME
'};
Cookie As Long '0x330
'Wow64SharedInformation(0 To 15) As Long '0x334
End Type
There's a lot more on the end, but it's not particularly useful, varies from version to version. The one given will work on XP-11.
Then using it is as simple as:
Code:
#If VBA7 Then
Public Declare PtrSafe Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As LongPtr)
#Else
Public Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
#End If
Private Sub ReadRealVersion()
Dim kusd As KUSER_SHARED_DATA
CopyMemory kusd, ByVal &H7ffe0000, LenB(kusd)
Debug.Print kusd.NtMajorVersion & "." & kusd.NtMinorVersion & "." & kusd.NtBuildNumber
End Sub
The address is the same for both 32bit and 64bit, so need for an alternate version.
The type as provided here is compatible with XP through 11. Build number is only correct on 10/11, but it's much less significant earlier anyway. The type can be truncated after ProcessorFeatures for Windows 2000 and NT4 compatibility-- the top snippet without declares works on NT4-11.
Last edited by fafalone; Mar 21st, 2024 at 04:28 AM.
-
Mar 20th, 2024, 06:02 AM
#2
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Did you check LARGEADDRESSAWARE processes?
cheers,
</wqw>
-
Mar 20th, 2024, 09:25 AM
#3
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
I'm not seeing any issue... I compiled an exe in tB in LAA and it worked fine; were you seeing a problem with however you get VB6 to compile with that?
-
Mar 20th, 2024, 10:41 AM
#4
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Didn't test it but the fixed address is halfway through address space and looks weird for LAA process.
cheers,
</wqw>
-
Mar 20th, 2024, 05:50 PM
#5
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Seems even weirder to me that the address is the same on both 32 and 64bit, but it works. The address is documented; there's Microsoft-written articles talking about it and the struct has an MSDN entry. Having a fixed address is one of the main points of it, it seems. The only time it's different is when you're in kernel mode; it's got a separate fixed address for that.
-
Mar 21st, 2024, 04:29 AM
#6
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
I updated the post with an even easier method. I realized you don't even need the declares.
Code:
Dim dwMajor As Long, dwMinor As Long, dwBuild As Long
CopyMemory dwMajor, ByVal &H7FFE026C, 4
CopyMemory dwMinor, ByVal &H7FFE0270, 4
CopyMemory dwBuild, ByVal &H7FFE0260, 4
MsgBox dwMajor & "." & dwMinor & "." & dwBuild
That's it, nothing else besides CopyMemory needed, and works on Windows NT4 through 11, on 32bit and 64bit.
-
Mar 21st, 2024, 05:45 AM
#7
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Wicked! Here is a single API call impl
Code:
Dim aBuffer(0 To 4) As Long
Call CopyMemory(aBuffer(0), ByVal &H7FFE0260, 20)
Debug.Print aBuffer(3) & "." & aBuffer(4) & "." & aBuffer(0)
. . . or wrapped in a property
Code:
Option Explicit
Private Declare Sub CopyMemory Lib "kernel32" Alias "RtlMoveMemory" (Destination As Any, Source As Any, ByVal Length As Long)
Private Enum UcsOsVersionEnum
ucsOsvNt4 = 400
ucsOsvWin98 = 410
ucsOsvWin2000 = 500
ucsOsvXp = 501
ucsOsvVista = 600
ucsOsvWin7 = 601
ucsOsvWin8 = 602
[ucsOsvWin8.1] = 603
ucsOsvWin10 = 1000
End Enum
Private Sub Form_Load()
Dim lBuildNo As Long
Debug.Print RealOsVersion(lBuildNo), lBuildNo
End Sub
Private Property Get RealOsVersion(Optional BuildNo As Long) As UcsOsVersionEnum
Dim aBuffer(0 To 4) As Long
Call CopyMemory(aBuffer(0), ByVal &H7FFE0260, 20)
BuildNo = aBuffer(0)
RealOsVersion = aBuffer(3) * 100 + aBuffer(4)
End Property
cheers,
</wqw>
-
Mar 21st, 2024, 06:01 AM
#8
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
And if "dwBuild >= 22000" then it's Windows 11.
What does your "ucs" abbreviation stand for?
-
Mar 21st, 2024, 06:09 AM
#9
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Yup this is my new standard now... I keep version info around and call ReadWindowsVersion on startup.
Code:
Private bIsWinVistaOrGreater As Boolean
Private bIsWin7OrGreater As Boolean
Private bIsWin8OrGreater As Boolean
Private bIsWin10OrGreater As Boolean
Private bIsWinRS5OrGreater As Boolean
Private bIsWin11OrGreater As Boolean
Private Sub ReadWindowsVersion()
Dim dwMajor As Long, dwMinor As Long, dwBuild As Long
CopyMemory dwMajor, ByVal &H7FFE026C, 4
CopyMemory dwMinor, ByVal &H7FFE0270, 4
CopyMemory dwBuild, ByVal &H7FFE0260, 4
If dwMajor >= 6 Then
bIsWinVistaOrGreater = True
If dwMinor >= 1& Then bIsWin7OrGreater = True
If dwMinor >= 2& Then bIsWin8OrGreater = True
If (dwMinor = 4) Or (dwMajor >= 10) Then bIsWin10OrGreater = True
If (dwMajor >= 10) And (dwBuild >= 17763) Then
bIsWinRS5OrGreater = True
If dwBuild >= 22000 Then bIsWin11OrGreater = True
End If
End If
End Sub
-
Mar 21st, 2024, 06:09 AM
#10
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Originally Posted by VanGoghGaming
And if "dwBuild >= 22000" then it's Windows 11.
What does your "ucs" abbreviation stand for?
I'm interested in build 20348 for Windows Server 2022 too, which has the earliest Schannel version with functional TLS 1.3 support :-))
Well, the prefix remains from when I copy/paste my company production code here. . .
Originally Posted by fafalone
Yup this is my new standard now... I keep version info around and call ReadWindowsVersion on startup.
It's so cheap (a single API call) that "caching" results is not worth it anymore, IMO.
cheers,
</wqw>
-
Mar 22nd, 2024, 07:44 AM
#11
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Originally Posted by fafalone
Yup this is my new standard now... I keep version info around and call ReadWindowsVersion on startup.
Code:
Private bIsWinVistaOrGreater As Boolean
Private bIsWin7OrGreater As Boolean
Private bIsWin8OrGreater As Boolean
Private bIsWin10OrGreater As Boolean
Private bIsWinRS5OrGreater As Boolean
Private bIsWin11OrGreater As Boolean
Private Sub ReadWindowsVersion()
Dim dwMajor As Long, dwMinor As Long, dwBuild As Long
CopyMemory dwMajor, ByVal &H7FFE026C, 4
CopyMemory dwMinor, ByVal &H7FFE0270, 4
CopyMemory dwBuild, ByVal &H7FFE0260, 4
If dwMajor >= 6 Then
bIsWinVistaOrGreater = True
If dwMinor >= 1& Then bIsWin7OrGreater = True
If dwMinor >= 2& Then bIsWin8OrGreater = True
If (dwMinor = 4) Or (dwMajor >= 10) Then bIsWin10OrGreater = True
If (dwMajor >= 10) And (dwBuild >= 17763) Then
bIsWinRS5OrGreater = True
If dwBuild >= 22000 Then bIsWin11OrGreater = True
End If
End If
End Sub
That code is dangerous
Code:
If (dwMajor >= 10) And (dwBuild >= 17763) Then
Because what happens if dwMajor is 12 and dwBuild is below 17763 ?
-
Mar 22nd, 2024, 08:39 AM
#12
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Been there, done that, should've used If dwMajor > 10 Or (dwMajor = 10 And dwBuild >= 17763) Then
cheers,
</wqw>
-
Mar 22nd, 2024, 10:40 AM
#13
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
-
Hyperactive Member
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Interesting but what is the reason MS makes the API lie?
-
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
With the release of Windows 8.1, the behavior of the GetVersionEx API has changed in the value it will return for the operating system version. The value returned by the GetVersionEx function now depends on how the application is manifested.
Source: https://learn.microsoft.com/en-us/wi...-getversionexw
So far I've been relying on the WMI object to return the OS version but this KUSER_SHARED_DATA seems more slick!
-
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Who knows what the actual why is. You have to be doing something pretty unusual for version lie to be desirable; but then, why should *everyone* have to worry about it instead of just the people who would want a system API to lie to them?
WMI seems like overkill... it's often disabled for security these days and the COM objects are a very heavyweight solution. I had been reading the kernel32.dll version before this:
Code:
Private Sub ReadWindowsVersion()
'GetVersion[Ex] does not work with Win8 and above, so we'll go by kernel32 version
'GetFileVersionInfo does not work with some versions of Win10 and above.
Dim hMod As LongPtr
Dim hRes As LongPtr
hMod = LoadLibraryW(StrPtr("kernel32.dll"))
If hMod Then
hRes = FindResourceW(hMod, StrPtr("#1"), RT_VERSION)
If hRes Then
Dim hGbl As LongPtr
hGbl = LoadResource(hMod, hRes)
If (hGbl) Then
Dim lpRes As LongPtr
lpRes = LockResource(hGbl)
If lpRes Then
Dim tVerInfo As VS_VERSIONINFO_FIXED_PORTION
CopyMemory tVerInfo, ByVal lpRes, Len(tVerInfo)
If tVerInfo.Value.dwFileVersionMSh >= 6& Then
bIsWinVistaOrGreater = True
If tVerInfo.Value.dwFileVersionMSl >= 1& Then bIsWin7OrGreater = True
If tVerInfo.Value.dwFileVersionMSl >= 2& Then bIsWin8OrGreater = True: bIsWin7OrGreater = True
If (tVerInfo.Value.dwFileVersionMSl = 4&) Or (tVerInfo.Value.dwFileVersionMSh >= 10&) Then
bIsWin7OrGreater = True
bIsWin8OrGreater = True
bIsWin10OrGreater = True
End If
End If
End If
End If
End If
FreeLibrary hMod
End If
End Sub
Another solution was the PEB...
Public Declare PtrSafe Function RtlGetCurrentPeb Lib "ntdll" () As LongPtr
Then major (Long), minor (Long) and build (Integer) start at 0x0A4 (32bit)/0x118 (64bit)
Which comes from
Code:
[Description("This is the base compatibility PEB, usuable from Windows XP through 11+. For additional members, see additional PEBs, e.g. PEB_VISTA.")]
Public Type PEB
InheritedAddressSpace As Byte
ReadImageFileExecOptions As Byte
BeingDebugged As Byte
/* [ TypeHint(PEB_BITFIELD_OLD) ] */ BitField As Byte
Mutant As LongPtr
ImageBaseAddress As LongPtr
Ldr As LongPtr
ProcessParameters As LongPtr 'RTL_USER_PROCESS_PARAMETERS
SubSystemData As LongPtr
ProcessHeap As LongPtr
FastPebLock As LongPtr
AtlThunkSListPtr As LongPtr
SparePtr2 As LongPtr
EnvironmentUpdateCount As Long
KernelCallbackTable As LongPtr
SystemReserved(0) As Long
SpareUlong As Long
FreeList As LongPtr
TlsExpansionCounter As Long
TlsBitmap As LongPtr
TlsBitmapBits(1) As Long
ReadOnlySharedMemoryBase As LongPtr
ReadOnlySharedMemoryHeap As LongPtr
ReadOnlyStaticServerData As LongPtr
AnsiCodePageData As LongPtr
OemCodePageData As LongPtr
UnicodeCaseTableData As LongPtr
NumberOfProcessors As Long
NtGlobalFlag As NTGLB_Flags
#If (TWINBASIC = 0) And (Win64 = 0) Then
pad(3) As Byte
#End If
CriticalSectionTimeout As LARGE_INTEGER
HeapSegmentReserve As LongPtr
HeapSegmentCommit As LongPtr
HeapDeCommitTotalFreeThreshold As LongPtr
HeapDeCommitFreeBlockThreshold As LongPtr
NumberOfHeaps As Long
MaximumNumberOfHeaps As Long
ProcessHeaps As LongPtr
GdiSharedHandleTable As LongPtr
ProcessStarterHelper As LongPtr
GdiDCAttributeList As Long
LoaderLock As LongPtr
OSMajorVersion As Long
OSMinorVersion As Long
OSBuildNumber As Integer
OSCSDVersion As Integer
OSPlatformId As Long
ImageSubsystem As ImageSubsystemType
ImageSubsystemMajorVersion As Long
ImageSubsystemMinorVersion As Long
ImageProcessAffinityMask As LongPtr
#If Win64 Then
GdiHandleBuffer(59) As Long
#Else
GdiHandleBuffer(33) As Long
#End If
PostProcessInitRoutine As LongPtr
TlsExpansionBitmap As LongPtr
TlsExpansionBitmapBits(31) As Long
SessionId As Long
AppCompatFlagsHi As Long
AppCompatFlags As APP_COMPAT_FLAGS 'ULARGE_INTEGER
AppCompatFlagUser As LARGE_INTEGER
pShimData As LongPtr
AppCompatInfo As LongPtr
CSDVersion As UNICODE_STRING
ActivationContextData As LongPtr
ProcessAssemblyStorageMap As LongPtr
SystemDefaultActivationContextData As LongPtr
SystemAssemblyStorageMap As LongPtr
MinimumStackCommit As LongPtr
#If (TWINBASIC = 0) And (Win64 = 0) Then
pad2(3) As Byte
#End If
End Type
But KUSER_SHARED_DATA definitely wins now, because you only need the CopyMemory API; the above you'd need the API to get the PEB address *and* CopyMemory, at a minimum, plus different offsets for x86/x64..
-
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
I've never heard of WMI being disabled. It's an integral part of Windows and many important services depend on it, such as the Windows Firewall. While this may be true in some heavily restricted corporate environments, it's almost never true for regular users.
Also it's pretty hard to beat this one-liner that always returns the correct version:
Code:
Debug.Print GetObject("winmgmts:").InstancesOf("Win32_OperatingSystem").ItemIndex(0).Version
Still, "KUSER_SHARED_DATA" wins hands down.
-
Re: [VB6/VBA/twinBASIC] The quickest way to the real Windows version: KUSER_SHARED_DA
Btw, on net stop winmgmt in admin prompt I get a "The Windows Management Instrumentation service could not be stopped" message so it's not that simple to disable WMI but it makes sense for systems in kiosk mode: POS terminals, ATM machines, etc.
cheers,
</wqw>
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
Click Here to Expand Forum to Full Width
|