# CurrentVersion Registry Key

The `CurrentVersion` registry key will provide you with the current operating system's version, service pack, and date of installation.

## Analysis Value

{% content-ref url="/pages/A9WSUHDPatjWctCckWyA" %}
[System Enumeration](/windows-forensics/artifacts-by-activity/system-enumeration.md)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ✅       | Server 2003   | ✅       |
| Windows XP    | ✅       |               |         |

## Artifact Location(s)

{% tabs %}
{% tab title="🔌 Offline System" %}

* File: `%SystemRoot%\System32\config\SOFTWARE`
* Key: `SOFTWARE\Microsoft\Windows NT\CurrentVersion`
  {% endtab %}

{% tab title="🔋 Live System" %}

* `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion`
  {% endtab %}
  {% endtabs %}

## Artifact Parsers

* RegistryExplorer (Eric Zimmerman)

## Artifact Interpretation

The `ProductName` value will provide the OS, such as `Windows Server 2019`.

The `ReleaseId` value will provide the version of the specified OS.

The `InstallDate` is an Epoch timestamp of when the OS was either first installed or received a major update, or was reset.

## Example

```
PS> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name *

SystemRoot                : C:\Windows
BaseBuildRevisionNumber   : 1
BuildBranch               : vb_release
BuildGUID                 : ffffffff-ffff-ffff-ffff-ffffffffffff
BuildLab                  : 19041.vb_release.191206-1406
BuildLabEx                : 19041.1.amd64fre.vb_release.191206-1406
CompositionEditionID      : Enterprise
CurrentBuild              : 19044
CurrentBuildNumber        : 19044
CurrentMajorVersionNumber : 10
CurrentMinorVersionNumber : 0
CurrentType               : Multiprocessor Free
CurrentVersion            : 6.3
EditionID                 : Professional
EditionSubManufacturer    :
EditionSubstring          :
EditionSubVersion         :
InstallationType          : Client
InstallDate               : 1666804042
ProductName               : Windows 10 Pro
ReleaseId                 : 2009
SoftwareType              : System
UBR                       : 3086
PathName                  : C:\Windows
ProductId                 : 00330-80000-00000-AA949
DisplayVersion            : 21H2
RegisteredOwner           : user1
RegisteredOrganization    :
InstallTime               : 133112776429018501
```

> This example was produced on Windows 10, Version 10.0.19044 Build 19044


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.