Mark, I have asked the same sort of question recently and got the following replies, hope this helps: Reply One: There are several places that contain files with the date time of the install. One place overlooked is in the Windows directory, where the install creates a number of .ini files for several programs, especially progman.ini, winfile.ini, telephon.ini, winmod32.ini. Also check for the files pidgen.dll, hidci.dll and setver.exe, which carry the date stamp of the time of the install. These are actually used during by the initial install process to verify product identification. These are little known files to most people, and are not generally altered or removed. Other files, which are often removed/deleted are the *.--- files, *.old files, etc. There is also a registry key in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion named FirstInstallDateTime, however it is a binary data key, and not easily read by the casual user. Add to this the usual cautions about assumptions...that the system clock on the PC is correct, and has not been changed since the install, and that the user has not used other utilities to rename/redate files on the system... Reply Two: In Windows 85/98/ME look at the following registry key ****************************************************** Software\Microsoft\Windows\CurrentVersion\FirstInstallDateTime There you will find the hex values which denote the date and time - the date/time is recorded in MS-DOS date format. In Windows NT/2K/XP look in *************************** HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate There you will find the hex values which denote the date and time - the date/time is recorded in UNIX format. Reply Three: Just an aside regarding your identification of the Windows' installation date from the entries in the registry. I have seen where re-installing Windows from the System Restore CDs (that many computers are shipped with) does not update the installation date. Rather, the "installation date" in the registry is really only the date when the installation of Windows took place in the factory, before being copied onto hard disks rolling down the assembly line. -- Regards, Anthony Harris 62 Northumberland Road, Tel: +44 (0)20 8449 1383 New Barnet, Fax: +44 (0)20 8447 3138 Hertfordshire, EN5 1EE (UK) "Make it idiot-proof and someone will build a better idiot" 'The truth is out there ...' PGP key available ... ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Sep 09 2002 - 06:48:00 PDT