How do I tell if Wi...
 
Notifications
Clear all

How do I tell if Windows 10 was a fresh install or upgrade?

7 Posts
3 Users
0 Likes
3,257 Views
ridders
(@ridders)
Posts: 12
Active Member
Topic starter
 

I’ve been doing some research around a recent topic raised in our office regarding “How do we tell if a Windows 10 computer was upgraded or fresh installed”.

After looking into this there are some registry keys which may indicate it however a more concerning problem has arisen which is that the major windows 10 updates appear to be directly effecting the date of installation attribute. My findings are as follows

This is the system information for a fresh install of windows 10 prior to any major updates, i.e V1507, V1511, V1607 AKA “anniversary”, and V1703 AKA “creators” update.

Within the SYSTEM Hive, under the “setup” directory there is currently no folder or key titled “upgrade”. This indicates that windows 10 is a fresh install. The “upgrade” key only appears within setup when an upgrade occurred from 7/8 to 10 or a major windows update has occurred.

Currently untested on my part, however provided online as research from superuser.com is the below image, showing that an additional directory is created “Source OS (Updated on X/X/XXX 000000)” when an upgrade from 7/8 to 10 occurs. As you can see the “ProductName” key shows the previous OS windows 10 was upgraded from. However it is highlighted that with all the recent windows 10 updates this identifier may no longer apply / exist.

Before any updates were applied to the fresh windows 10 install I used “systeminfo” to produce me the installation date. The date and time shown in this picture is correct.

When the “InstallDate” key from SOFTWARE\Microsoft\Windows NT\Current Version is examined via Encase or X-Ways, the actual hex values recorded are incorrect. So prior to any updates Windows 10 registry reports its installation date incorrectly by 7 hours under UTC.

At this point I now commence a major windows 10 update as seen below. The update assistant states that it’s going to update to version “15063”, however the latest version is currently 1703 and it acquires that instead

The workstation has now been rebooted and I examine the SYSTEM\setup hive again, and we can now see an “upgrade” key present, second from the bottom. Only theory at this point, but the absence of the “Source OS” directory could be an indicator this was only an update not an upgrade from windows 7/8.

We can now also see under SOFTWARE\Microsoft\Windows NT\Current Version the “ReleaseID” key now reflects the latest major windows 10 update.

Using the same method as before I use Systeminfo to obtain the date of installation after the update has occurred and we now see that Windows 10 believes it was installed at 1356 not 0919.

Once again using Encase and X-Ways to verify the date we can see the hex within the registry is out by 7 hours. Cursorily enough note that the windows update also created a windows.old directory, something we previously used as an indicator of a windows upgrade.

What are others using to determine the correct information?

 
Posted : 22/06/2017 8:34 pm
BraindeadVirtually
(@braindeadvirtually)
Posts: 115
Estimable Member
 

When the “InstallDate” key from SOFTWARE\Microsoft\Windows NT\Current Version is examined via Encase or X-Ways, the actual hex values recorded are incorrect. So prior to any updates Windows 10 registry reports its installation date incorrectly by 7 hours under UTC.

I might be missing something here but when I looked at my install date I found an accurate epoch timestamp when I changed it to decimal output

 
Posted : 22/06/2017 9:34 pm
ridders
(@ridders)
Posts: 12
Active Member
Topic starter
 

Good Morning RedCat. I have tried your suggestion and the result which was returned is Saturday, 10 June 2017 215627 GMT+0100 DST, However the true install date and time is 10 June 2017 091936.

 
Posted : 23/06/2017 4:15 pm
BraindeadVirtually
(@braindeadvirtually)
Posts: 115
Estimable Member
 

Good Morning RedCat. I have tried your suggestion and the result which was returned is Saturday, 10 June 2017 215627 GMT+0100 DST, However the true install date and time is 10 June 2017 091936.

Guessing then that the true install date represents the first time that Windows was installed to the system, and then over the course of the next 12 hours or so the system was upgraded through Windows Update. I know that some of the chunkier Windows Updates will change the system 'install' date when they get installed.

tl;dr it's often hard to say with forensic certainty when Windows was first installed.

 
Posted : 23/06/2017 4:21 pm
ridders
(@ridders)
Posts: 12
Active Member
Topic starter
 

it's often hard to say with forensic certainty when Windows was first installed.

The installdate registry key for previous operating systems has been a reliable source for confirming install date.

 
Posted : 23/06/2017 4:56 pm
(@hwmann)
Posts: 1
New Member
 

Why do you need to know?

 
Posted : 28/06/2017 7:47 pm
ridders
(@ridders)
Posts: 12
Active Member
Topic starter
 

Why do you need to know?

The Install date can be used among other things to eliminate or prioritise exhibits where a time frame is relevant. Its an effective method of prioritisation if many exhibits have been submitted for examination. In other circumstances an installation date right before arrest / seizure may also warrant concern and could be an indicator for further analysis into areas such as unallocated, etc. With the recent changes in Windows 10 this information could risk incorrect conclusions being considered or presented.

Seeing as I trained you, you already knew this though wink

 
Posted : 01/07/2017 3:21 pm
Share: