One of the questions I have received a few times after publishing the previous blogs is “how do I see if a given binary is on the GDR or LDR branch on my system?”
Pre-Vista this is actually simple to determine through Explorer: view the properties of a file, switch to the Version tab and select the Item name “File Version” – in the right-hand pane Value you will see the version string in brackets after the number.
Here is the File Version information for ntoskrnl.exe on Windows Server 2003 SP2:
The format of the string is this:
Windows Branch _ Service Pack Branch _ GDR/LDR Branch . Build Date-Build Time
(The file version number itself does not uniquely identify whether a binary is on the GDR or LDR branch, so I’ll ignore that here.)
So for the above example:
Windows Branch = srv03 = Windows Server 2003 (NT 5.2)
Service Pack Branch = sp2 = Service Pack 2
GDR/LDR Branch = rtm = GDR (RTM is the base of the branch so considered GDR)
Build Date-Build Time = 070216-1710 = 16th February 2007, 17:10
Now to prove a bit of the theory I have mentioned previously – let’s apply one of the more recent GDR hotfixes that updated ntoskrnl.exe and check the properties afterwards…
I decided to apply KB977165 (downloaded manually from here) which should according to the KB article should update the file to version 5.2.3790.4637 dated 15th December 2009…
So far, so good – we remain in the GDR branch and the version is updated as expected.
Now let’s install an older LDR package – let’s take KB935926 which contains version 5.2.3790.4449 dated January 2009:
See how we switch to the QFE branch but do not regress the version?
This binary was taken from the $hf_mig$ folder to avoid a potential problem – and hence why you shouldn’t go deleting this folder to free up space.
If we had applied the LDR package first then the version would have been as per the KB article after the first hotfix installation:
If GDR package KB977165 was applied after this, then we would end up at the LDR same version as in the previous scenario (5.2.3790.4637, srv03_sp2_qfe.091215-1207) so it does not matter in which order the fixes are applied – a single LDR package will move the binary onto the LDR branch and keep it there until the next Service Pack.
Now, for Vista and later things get a little trickier to determine, as there is no Version tab in the properties of a file, and the File version reported on the Details tab is just the numerical one – for example here is the information for ntoskrnl.exe:
The file version is constructed like this:
major . minor . build . revision
For Windows Vista:
- major version is 6
- minor version is 0
- build is 6000 for RTM, 6001 for SP1 and 6002 for SP2
- revision of a file indicates which branch the file is on by the first couple of digits
To explain the revision number, let me borrow from KB971486 which has a good summary:
|6.0.6001.18xxx||Windows Vista SP1 and Windows Server 2008 SP1||SP1||GDR|
|6.0.6001.22xxx||Windows Vista SP1 and Windows Server 2008 SP1||SP1||LDR|
|6.0.6002.18xxx||Windows Vista SP2 and Windows Server 2008 SP2||SP2||GDR|
|6.0.6002.22xxx||Windows Vista SP2 and Windows Server 2008 SP2||SP2||LDR|
For Windows Server 2008 the information is identical, except there was no RTM build as it was released at the point SP1 was released for Vista, so the first build is 6001.
Hotfix packages that apply to Vista for binaries that exist in Windows Server 2008 are identical (think of them as “NT 6.0 hotfixes” if it makes life easier).
Based on the above table you can see the properties were displayed for Windows Vista or Server 2008 (major.minor version 6.0) SP2 (build 6002) and the file is on the GDR branch (revision 18xxx).
So how does it look for Windows 7 / Server 2008 R2?
Here’s ntoskrnl.exe properties from my machine this morning:
For this version of Windows:
- major version is 6
- minor version is 1
- build is 7600 for RTM
- revision is 16xxx for GDR, 20xxx for LDR
Note the major.minor revision is 6.1 and not what a lot of people expected (7.0) – this was done deliberately for application compatibility reasons, as many vendors do a major version check and expect to see 6.x as the reported NT version.
Application compatibility and backwards compatibility are important to Microsoft, so we took the less-risky path.
There isn’t a final Service Pack 1 for Windows 7 yet, but the beta has just been released and the build number is 7601 so you can see how it follows the previous pattern of incrementing by 1 for each Service Pack.
Borrowing again from another KB article (KB974431) to summarize the versioning system:
|6.1.7600.16xxx||Windows 7 and Windows Server 2008 R2||RTM||GDR|
|6.1.7600.20xxx||Windows 7 and Windows Server 2008 R2||RTM||LDR|
Again, using the information we now have you can see my screenshot was taken from a Windows 7 / Server 2008 R2 machine on the GDR branch.
How the revision numbers will be after SP1 we will have to wait and see – but with the kind of information from the above tables it now becomes trivial to see whether any binary is on the GDR or LDR branch.