Hello all!
I am hoping to find out if (and indeed when) a user has used the Reset this PC system reset option in Windows 10. The current installation only has the system generated user accounts Default and Public and the SAM and SECURITY hives are present but completely empty. The RegBack folder is also empty. The Windows.old folder is present and still contains a lot of data, including previous user profiles and the complete registry hives. I can see from ReleaseId (SOFTWARE) that both the current and previous installations appear to be running Win 10 1709, therefore my current hypothesis is that the user has chosen to Reset this PC rather than attempt to update to a new feature update, and the device has then lost power/failed. I am in the process of spinning up a Win 10 1709 VM to establish which reset option causes the Windows.old folder to be created (i.e. Keep my files / Remove everything)
I have done some 'Google'ing' around the subject, specifically in relation to forensics and haven't had much luck.
Thanks for your time
Why are you SecretSquirrel01?
Why are you SecretSquirrel01?
Maybe because he was faster than SecretSquirrel02? ?
jaclaz
Hello all!
I am hoping to find out if (and indeed when) a user has used the Reset this PC system reset option in Windows 10.
\HKEY_LOCAL_MACHINE\SYSTEM\Setup\Source OS
There you should find all you need.
If is was a new install without fomatting, mount the reg hives in C\Windows.old and check the old install dates.
regards, Robin
Or slower than SecretSquirrel?
Why are you SecretSquirrel01?
Maybe because he was faster than SecretSquirrel02? ?
jaclaz