In reviewing the registry I see that the OS was installed at 1120 UTC but I see a mountpoint entry under a user at 1109 UTC (on the same day).
How can there be a registry key entry older than when the actual OS was installed?
Thanks.
OS upgrade?
good point! I'm pretty certain that this is exactly what it is, but how can I tell for sure (specific registry key)?
What OS specifically are you working with? What Registry Keys have you examined? And any other artifacts?
Cheers
Win 7 Enterprise, and have reviewed the keys that hold the OS-related info, such as type of OS.
Might be wrong, but does the file system metadata give you any clues? Eg. The mft created months prior?
Might be wrong, but does the file system metadata give you any clues? Eg. The mft created months prior?
How do I access the mtf data?
How do I access the mtf data?
I'm not sure what an "mtf" is, so I can't address this question, but I would like to ask for some clarifying information regarding the original question.
Specifically, to *which* mount point are you referring?
If this is the mount point for the C\ volume on the system, the fact that it "predates" the installation time by…what is it…11 min??…doesn't seem to surprising to me, particularly when you consider that the creation of the Default user profile and the volume itself would likely occur prior to the installation being finalized.
I think that it's important to consider not so much that one date occurs before another, but to also understand what actions or conditions lead to specific values, particularly time stamps, being set.
For example, I did some testing a while back regarding the creation of the GUIDs used to refer to the MountPoints2 subkey names within the user hives, specifically those that relate to USB devices. Using the UUID v1 format documented in an online RFC, I found that the key name/GUID used the boot time of the current login session, rather than the time that the device was actually connected to the system.
So, my point is that you can't simply look at a couple of time values and say, "hey…these are odd, b/c one appears before the other." without understanding how they are created and/or modified.
Just a thought.
Check the file system for directories that would be present from a prior XP or Vista installation or appear as a result of an upgrade. The type of upgrade that is performed will have an effect on the resulting folders.
An example of a folder artifact that indicates an upgrade from XP or Vista would be the presence of a "Windows.old" folder.
Refer to this link