Hi hope someone can shed some light. Got a laptop with XP Pro SP3 to look at
Setupapi.log is there in the usual place, plus setupapi.log.0.old - no surprises so far. There are no other .old files
However, dates on the files confuse me. I had understood that the .0.old files got created automatically when setupapi.log got to a certain size, at which point a new setupapi.log file was created.
So I'd assumed that the created date on setupapi.log would be somewhere around the last modified date on the setupapi.log.0.old file. Can't test the theory on my system as I'm on W7 and the image I have of my old system doesn't extend to any .0.old files (
But the dates on the files I'm looking at don't look like this at all. The .0.old file has created and modified dates within 2 days of each other in Jan 2009, setupapi.log was created 17th Sep 2011.
There's evidence of CCleaner having been run 15th Sep 2011 (and several times since Oct 2009) so I'm wondering if, in the absence of any other bright ideas (of which I currently have none) CCleaner's the answer. I know there's an option in CCleaner to delete Windows log files and have seen setupapi.log go missing before, but I don't recall coming across an old .0.log (or .1 or .2) after CCleaner's done its stuff.
Any thoughts?
Hi Cults,
Has the machine been reimaged restoring the old setupapi.log files back to an earlier period?
Richard
Hi Richard, I considered that but it appears to me that if that had happened then either the current setupapi.log would show more setup history than it does (only 60K worth which starts with and most of which appears to be around repeated attempts to install a RealTek Wireless adaptor, starting on Saturday 17th Sep) or there would be more recent .old file.
Also (a) there's nothing to indicate re-imaging on our service desk ticketing system, (b) I can't ask the user 'cos he's no longer with us and © difficult to track down relevant IT people as the ex-user was a Grad on 6-month rotation in different continents.
I will check with all IT Depts though.
Cheers
Tried undelete/carving for files?
MDCR - I've imaged in FTKI and processed in FTK 3.4 in Field Mode which usually shows up at least some stuff.
Actually, now you mention it, I have indexed the image (just in case, did it overnight) so a string search for the stuff you usually see at the top of setupapi might help.
Thanks