Simple Bash script to figure out the windows version installed on local disk(s) from Linux

winsniff.sh

#!/bin/bash

# This script tries to sniff the Windows version present on local disks.
# It does so by mounting ntfs partitions, and tries to read the version from the registry
# requires hivexget and lsblk
# install hivexget on Debian: apt install libhivex-bin

if [[ $EUID -ne 0 ]]; then
	echo "root pls"
	exit 1
fi

shopt -s nullglob

mountpoint=$(mktemp -d) # we create a random folder where we can mount stuff

for dev in $(lsblk -o KNAME -A --raw -n); do
	tput setaf 3
	echo "Checking ${dev} ..."
	tput sgr0

	if ! mount -v -t ntfs -o ro "/dev/${dev}" "${mountpoint}"; then
		echo "Failed to mount as ntfs, proceeding to next device"
		continue
	fi

	echo "mounted"

	# is mounted... don't forget to unmount...

	# Thanks https://superuser.com/a/1748131
	rfile=($mountpoint/[wW][iI][nN][dD][oO][wW][sS]/[sS][yY][sS][tT][eE][mM]32)
	rfile=(${rfile[@]/%//[cC][oO][nN][fF][iI][gG]})
	rfile=(${rfile[@]/%//[sS][oO][fF][tT][wW][aA][rR][eE]})

	if [[ -z "${rfile}" || ! -f "${rfile}" ]]; then
		echo "Could not locate hive file..."
	else
		echo "Attempting to open ${rfile} ..."

		productName=$(hivexget "${rfile}" 'Microsoft\Windows NT\CurrentVersion' ProductName)
		if [[ $? -ne 0 ]]; then
			echo "Could not extract ProductName"
		else
			tput setaf 2
			echo "Found ${productName}!"
			tput sgr0
		fi
	fi

	umount -v "${mountpoint}"
done