±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 35886
New Yesterday: 2 Visitors: 140

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Windows.old & Thumbcache

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Christ143uk
Member
 

Windows.old & Thumbcache

Post Posted: Apr 18, 16 12:51

Hi all,

I have been looking around but have been getting conflicting answers. I am looking at a Windows Vista Home Premium installation.

My questions are:

1) Is Windows.old folder created when a user selects the "Upgrade" option? during installation.

2) Is Windows.old folder created when a user selects "Custom (Advanced)" during installation if they install it on the same partition without formatting?

3) I am aware Thumbcache.db is created on a per user basis. Would a new Thumbcache repository be created under both circumstances listed above or could the thumbcache be carried over to depending on the installation options. As far as I am aware as you cannot "upgrade" from Vista to Vista therefore the thumbcache must have been re-created as prior operating systems would have used thumbs.db.

4) Finally is there any other way to tell if the OS was a fresh install or an upgrade?

Thanks in advance.  
 
  

Bunnysniper
Senior Member
 

Re: Windows.old & Thumbcache

Post Posted: Apr 18, 16 18:27

Windows.old is generated every time you install another Windows OS of the same version or higher version into the same, already used and formatted NTFS partition. If you want to check, if this is an upgrade or clean install, have a look at the SYSTEM reg hive from Windows.old\System32\config\
You should have one in Windows.old and one in Windows. Compare both InstallDate values from - i think - Windows\CurrentVersion

But the existence of Windows.old is a clear evidence of an Upgrade. In case of "Clean Install" (with formatted drives) there is no Windows.old folder!


best regards,
Robin  
 
  

Christ143uk
Member
 

Re: Windows.old & Thumbcache

Post Posted: Apr 19, 16 13:02

Hi,

Thanks for the response.

Could you clarify what you would expect to see from comparing the two "InstallDate" from current Windows and Windows.old?

Sorry I don't currently have the capacity to compare them myself as I don't have a Windows.old available.

Also do you mean the SYSTEM hive or SOFTWARE?

Many Thanks  
 
  

Bunnysniper
Senior Member
 

Re: Windows.old & Thumbcache

Post Posted: Apr 19, 16 15:01

- Christ143uk
Hi,

Thanks for the response.

Could you clarify what you would expect to see from comparing the two "InstallDate" from current Windows and Windows.old?

Sorry I don't currently have the capacity to compare them myself as I don't have a Windows.old available.

Also do you mean the SYSTEM hive or SOFTWARE?

Many Thanks


Well, by comparing both values you can identify the time and date when the upgrade was done. It is done once C:\Windows.old is created, comparing both values answers the question When it was done.

You can use Mitec`s WRR from www.mitec.cz/wrr.html to open
C:\Windows.old\WINDOWS\System32\config\SOFTWARE and check the original InstallDate. WRR makes the conversion from UNIX time to a human-readable format for you.

Then you open the "active" SOFTWARE hive from C:\Windows\WINDOWS\System32\config\ and check the value for InstallDate at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion. The active SOFTWARE hive gives you the answer when the OS was migrated.

To make it more simple, execute cmd.exe /K systeminfo|findstr Install on a copy of the running system. And again, systeminfo converts the time for you. To convert it yourself, have a look at this link.

You should check Microsoft`s upgrade paths for the mentioned Vista version. It should have been a Windows XP Professional before (unconfirmed!). The aforementioned registry hive contains a Key called ProductName. It should contain the full name of the former OS, too.

best regards,
Robin  
 
  

Christ143uk
Member
 

Re: Windows.old & Thumbcache

Post Posted: Apr 19, 16 16:08

Hi Robin,

Thank you for the advice and clearing that up for me it is appreciated.

Thanks  
 
  

Bunnysniper
Senior Member
 

Re: Windows.old & Thumbcache

Post Posted: Apr 19, 16 16:28

I have found accidentally some more useful infos for you:

"This article lists all the log files that are created when you upgrade to Windows Vista from an earlier version of Windows."
support.microsoft.com/.../kb/928901

Depending on the existence of several log files, you can confirm the success of an Upgrade. Quite interesting article, did not knew that....

have a nice day all,
Robin  
 

Page 1 of 1