Windows Installatio...
 
Notifications
Clear all

Windows Installation Date/Time Stamp

5 Posts
4 Users
0 Reactions
4,132 Views
(@davidkoepi)
Active Member
Joined: 15 years ago
Posts: 9
Topic starter  

I was told the best way to determine the date/time for Windows installation is to look at the creation date for $MFT.

I ran a test on one of the lab machine. The creation date of $MFT is 9 Nov 09. However, I ran "systeminfo command and it showed 5 Aug 10. (5 Aug 10 was the actual date that Windows 7 was installed on the system).

Can I know if anyone encounter the same problem?


   
Quote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

I was told the best way to determine the date/time for Windows installation is to look at the creation date for $MFT.

I ran a test on one of the lab machine. The creation date of $MFT is 9 Nov 09. However, I ran "systeminfo command and it showed 5 Aug 10. (5 Aug 10 was the actual date that Windows 7 was installed on the system).

Can I know if anyone encounter the same problem?

Rest assured that anyone that has formatted a NTFS partition on 9 Nov 2009 and LATER installed to it Windows 7, on the 05 Aug 2010, would presumably encounter the same problem. wink

jaclaz


   
ReplyQuote
(@Anonymous 6593)
Guest
Joined: 17 years ago
Posts: 1158
 

I was told the best way to determine the date/time for Windows installation is to look at the creation date for $MFT.

Considering that there are Windows installations running on FAT32, I'm not sure that's perfectly correct. But assuming NTFS …

All that really tells you is when the $MFT was created, i.e. typically when the volume was reformatted. Then you must argue some connection with that event and an installation.

A couple of question What happens if you install Windows on a disk where there already is an established NTFS file system? Or, what happens if you upgrade, say, Windows 2000 on NTFS to XP. Is the file system recreated, or just reused?

Or … if you work in a corporate environment, you may find that all client systems are installed by writing a master disk image to the client disk. Then, all the creation date tells you is when the master installation was done. And, in one interpretation, that *is* the date Windows was installed – just not on that particular client.

It's not quite as clear-cut as it seems.

The data you mention is (I'm guessing) probably taken from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

As that key purports to state installation date, I should count that as somewhat stronger evidence than the creation date of $MFT which necessarily must be more indirect. Even so, it probably relies on the accuracy of the system time.


   
ReplyQuote
(@davidkoepi)
Active Member
Joined: 15 years ago
Posts: 9
Topic starter  

The data you mention is (I'm guessing) probably taken from
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate

As that key purports to state installation date, I should count that as somewhat stronger evidence than the creation date of $MFT which necessarily must be more indirect. Even so, it probably relies on the accuracy of the system time.

Thank You, I found the correct date/time stamp from the registry key!


   
ReplyQuote
(@douglasbrush)
Prominent Member
Joined: 16 years ago
Posts: 812
 

RegRipper works very well for this. I run that against the EnCase Initialize Case to have at least two sources.


   
ReplyQuote
Share: