RE: Checking when the OS was first installed

["AndrewC" <andrew () whirlow plus com>]

Or you could just type "systeminfo" at the command prompt to get system
install date and all the patch/hotfix info you will ever likely need!!?.....

Andrew P Craig MA
A+ N+ MCSE CCNA
 
==================================================================
The information transmitted in this e-mail is intended only for the person
or entity to which it is addressed and contains confidential information.
Any review, retransmission or other use by persons or entities other than
the intended recipient is prohibited. If you received this in error, please
contact the sender and delete the material from any computer. Thank you. 
 

-----Original Message-----
From: Times Enemy [mailto:times () krr org] 
Sent: 01 June 2005 09:00
To: security-basics () securityfocus com
Subject: Re: Checking when the OS was first installed

Greetings.

Not sure why, but i am assuming the OS is a Microsoft OS.

I would have to agree, that the creation date for the %systemroot% 
directory should indicate when the OS was installed.  This may not work 
if the OS was upgraded significantly.

Some generic folders to check the creation date:
c:\%systemroot%
c:\%systemroot%\Config
c:\%systemroot%\Fonts
c:\%systemroot%\repair
c:\%systemroot%\system
c:\%systemroot%\system32
c:\program files
c:\program files\common files
c:\documents and settings\default user

Some files to check the creation date:
c:\io.sys
c:\msdos.sys
c:\pagefile.sys
c:\windows\setuplog.txt
c:\windows\winnt.bmp
c:\windows\winnt256.bmp
c:\windows\security\logs\backup.log     # may have date inside as well 
as creation date
# the 'c:\windows\security\logs' subdirectory may have several files of 
worth regarding install date
# the same goes for file creation dates within 'c:\windows\system32\config'
c:\windows\comsetup.log
c:\windows\debug\netsetup.log

et cetera.

This is not 100%, but it should work most of the time.

 From a command prompt, XP Pro:

dir /tc <filename>

EXAMPLE: dir /tc c:\autoexec.bat

This controls which time field displayed or used for sorting, per 'dir /?'.

For hidden files:

dir /ah /tc <filename>

EXAMPLE: dir /ah /tc c:\io.sys

OR right-click file/folder, left-click properties.

If you do enough of these, you should be able to determine the 
installation date.  There may be some simple command, registry entry, or 
the likes that keeps this information, specifically, and solely, but i 
do not know of it at this time.

FWIW, why do you care when the OS was installed?

.times enemy


Ansgar -59cobalt- Wiechers wrote:

> On 2005-05-29 Lubrano di Ciccone, Christophe (DEF) wrote:
>  
>
> > The date of the boot.ini file or the winnt folder (%systemroot%) may
> > help you.
> >    
>
> Maybe, but since it's the configuration file for the bootloader, it is
> prone to changes, so this seems very unreliable to me.
>
> Regards
> Ansgar Wiechers
>