Solved

Date a computer has been imaged or re-imaged?

Posted on 2014-02-26
15
2,343 Views
Last Modified: 2014-03-10
Is there a way to determine the date a computer has been imaged or re-imaged?
0
Comment
Question by:ei00004
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
15 Comments
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39890051
You can pull the Operating System install date from WMI.

In the \\root\cimv2 namespace look at the InstallDate from this query:

select * from Win32_OperatingSystem

Open in new window


You can run 'wbemtest' to test this query through the WMI Tester UI.
0
 

Author Comment

by:ei00004
ID: 39890172
Gives me the O.S. name and drive partition installed on but not date drive was imaged. See attached.
wbemtest.bmp
0
 

Author Comment

by:ei00004
ID: 39890174
Gives me the O.S. name and drive partition installed on but not date drive was imaged. See attached.
0
Is Your DevOps Pipeline Leaking?

Is your CI/CD pipeline a hodge-podge of randomly connected tools? You’ve likely got a tool to fix one problem & then a different tool to fix another, resulting in a cluster of tools with overlapping functionality. Learn how to optimize your pipeline with Gartner's recommendations

 
LVL 11

Expert Comment

by:BillBondo
ID: 39890205
I would think you only will see when machine was first started. Event viewer?
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39890220
Event Viewer has most likely overwritten that event.

From the screenshot you included double-click on that line, that should give you the properties.
0
 
LVL 10

Expert Comment

by:bigbigpig
ID: 39890272
You could also run systeminfo at a command prompt and see.  It'll be at the top, so if it gets lost above the hotfix info then do 'systeminfo | more'.
0
 
LVL 81

Expert Comment

by:David Johnson, CD, MVP
ID: 39890283
with powershell
PS G:\Documents\WindowsPowerShell\Scripts> gwmi win32_operatingsystem | select installdate | fl
installdate : 20130913083114.000000-240

you can use the -computername

S G:\Documents\WindowsPowerShell\Scripts> gwmi win32_operatingsystem -ComputerName . | select installdate | fl
for other computers
0
 

Author Comment

by:ei00004
ID: 39890304
If you know what the event ID would be for system imaging or re-image then I can try to search for it. Some of these systems where image months or even years ago.

When I double-click on the query results I get tons of property information, but no image or re-imaging date.
0
 

Author Comment

by:ei00004
ID: 39890322
I can run C:\> Systeminfo | find /i "install date" , but this gives me the date of the O.S. in the  image file that was installed on the computer, not the date the computer was imaged.
0
 

Author Comment

by:ei00004
ID: 39890352
The Powershell command also give you the date of the O.S. in the  image file that was installed on the computer, not the date the computer was imaged.

PS G:\Documents\WindowsPowerShell\Scripts> gwmi win32_operatingsystem | select installdate | fl
0
 

Author Comment

by:ei00004
ID: 39893196
Probably not going to be able to access this info from the O.S., since the entire O.S. itself has been over-written with a new image. I'm thinking that I'm going to need to get this information from the system bios or the hard drive controller. Something that is flagged or changed when the O.S. has been changed.
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39917334
It will not be possible if the HDD is totally reformatted and clone back, assuming the formatting is not just quick format but a total completed formating and proper sector clean up prior to cloning...

Normally we need to find traces of such imaging or cloning. Traces of software pertaining to such imaging for enterprise rollout may help but not foolproof if this is standard image rollout for each machine and no uniqueness.  If the latter differ from the base gold image, we may say there is attempt or suspicion only.

if the imaging include windows restore points in MS windows, then we can check through the list - I understand Mandiant has retsore point tool to list out as forensic traces. Also provided those point are enabled. Expanding on it if HDD is attempted to be plugged externally to other system, and prompted to install a new driver for example, a graphics adapter, the restore point will tracked that driver installation. This may be symptoms or traces to delve deeper.

Or maybe activation of licence key online assuming there is some sort of OS GUID required that is unique of the OS and h/w. If it attempts and mentioned it does allow registration despite already done so in the past, will this be an alert as well...maybe

Just few cents
0
 

Author Closing Comment

by:ei00004
ID: 39917488
I think you are correct, the only way I can determine the date a computer was imaged or re-imaged is by using the catalog or reports from the computer that does the imaging. ie: Symantec Ghostcast Server or Fog imaging server.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A quick guide on how to use Group Policy to create a custom power plan and set it active on Windows 7.
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
This Micro Tutorial will teach you how to change your appearance and customize your Windows 7 interface to your unique preference. This will be demonstrated using Windows 7 operating system.
Finding and deleting duplicate (picture) files can be a time consuming task. My wife and I, our three kids and their families all share one dilemma: Managing our pictures. Between desktops, laptops, phones, tablets, and cameras; over the last decade…

705 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question