Note that when I tried PowerShell.exe -Version 3, the output I received was the same output I received for v5. All rights reserved.Īs you can see, our PowerShell session is now using the v2 engine instead of v5. PS C:\Users\4n6k> PowerShell.exe -Version 2Ĭopyright (C) 2009 Microsoft Corporation.
CYBERDUCK VERSION 3.4.2 WINDOWS 10
(I ran everything below on the Windows 10 machine). To answer these questions, let's first use the easiest way possible to determine the version of PowerShell installed on a machine: the $PSVersionTable PowerShell command.
But what about some of this other stuff we see in the PowerShellEngine subkey? What's that RuntimeVersion value and why doesn't it match the PowerShellVersion value? If two PowerShell engines exist on the Windows 10 machines, how do I use the older, v2 engine instead of the v5 engine? Unless manually changed, this path will show "v1.0" regardless of the PowerShell versions installed on the machine. The executable's path will show %SystemRoot%\system32\WindowsPowerShell\ v1.0\powershell.exe. But keep in mind that you might find more than one registry key containing PowerShell version information.ĭo not be fooled by the default location of PowerShell.exe. The bottom line is that, yes, the version of PowerShell can be found in the registry and not just by running the $PSVersionTablePowerShell command.
CYBERDUCK VERSION 3.4.2 INSTALL
Note that this may not be the reason for seeing both subkeys I reviewed a machine with a fresh Windows 10 install and observed that it also had both subkeys. Sure enough, I had upgraded my Windows 7 machines to Windows 10 and had NOT done a fresh Windows 10 install. But why did the Windows 10 workstations have both a "1" subkey and a "3" subkey? Jared, once again, suggested that a previous version of Windows being upgraded to Windows 10 may have been the reason.
CYBERDUCK VERSION 3.4.2 SOFTWARE
Therefore, James's SOFTWARE hive only had a single "1" subkey. My machines were Windows 10 workstations. James's machine was a Windows XP workstation. It wasn't until Jared noted that having the "1" subkey would indicate the existence of PowerShell v1 or v2 and that having the "3" subkey would indicate PowerShell v3-5 that this all started to make more sense. As we can see in the screenshot below, there is a value named PowerShellVersion that will tell us the version of PowerShell installed on the machine.Ī second subkey named "3" shows a different, more recent version of PowerShell Within the "1" subkey is yet another subkey named PowerShellEngine. James noted that he found a subkey named " 1" inside. Right off the bat, Jared suggested that there had to be something in the registry related to this information and subsequently pointed us to the following registry key: HKLM\SOFTWARE\Microsoft\PowerShell. you are working off of a forensic image - not a live machine). You want to determine the version of PowerShell installed on a machine, but don't have a means by which to run t he $PSVersionTablePowerShell command (e.g. I was chatting with Jared Atkinson and James Habben about PowerShell today and a question emerged from the discussion: is there way to determine the version of PowerShell installed on a given machine without using the $PSVersionTable PowerShell command? We all agreed that it would be nice to have an offline source for finding this information. FORENSICS QUICKIES! These posts will consist of small tidbits of useful information that can be explained very succinctly.