Date a computer has been imaged or re-imaged?

Is there a way to determine the date a computer has been imaged or re-imaged?
ei00004Network AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bigbigpigCommented:
You can pull the Operating System install date from WMI.

In the \\root\cimv2 namespace look at the InstallDate from this query:

select * from Win32_OperatingSystem

Open in new window


You can run 'wbemtest' to test this query through the WMI Tester UI.
0
ei00004Network AdministratorAuthor Commented:
Gives me the O.S. name and drive partition installed on but not date drive was imaged. See attached.
wbemtest.bmp
0
ei00004Network AdministratorAuthor Commented:
Gives me the O.S. name and drive partition installed on but not date drive was imaged. See attached.
0
The Five Tenets of the Most Secure Backup

Data loss can hit a business in any number of ways. In reality, companies should expect to lose data at some point. The challenge is having a plan to recover from such an event.

BillBondoCommented:
I would think you only will see when machine was first started. Event viewer?
0
bigbigpigCommented:
Event Viewer has most likely overwritten that event.

From the screenshot you included double-click on that line, that should give you the properties.
0
bigbigpigCommented:
You could also run systeminfo at a command prompt and see.  It'll be at the top, so if it gets lost above the hotfix info then do 'systeminfo | more'.
0
David Johnson, CD, MVPOwnerCommented:
with powershell
PS G:\Documents\WindowsPowerShell\Scripts> gwmi win32_operatingsystem | select installdate | fl
installdate : 20130913083114.000000-240

you can use the -computername

S G:\Documents\WindowsPowerShell\Scripts> gwmi win32_operatingsystem -ComputerName . | select installdate | fl
for other computers
0
ei00004Network AdministratorAuthor Commented:
If you know what the event ID would be for system imaging or re-image then I can try to search for it. Some of these systems where image months or even years ago.

When I double-click on the query results I get tons of property information, but no image or re-imaging date.
0
ei00004Network AdministratorAuthor Commented:
I can run C:\> Systeminfo | find /i "install date" , but this gives me the date of the O.S. in the  image file that was installed on the computer, not the date the computer was imaged.
0
ei00004Network AdministratorAuthor Commented:
The Powershell command also give you the date of the O.S. in the  image file that was installed on the computer, not the date the computer was imaged.

PS G:\Documents\WindowsPowerShell\Scripts> gwmi win32_operatingsystem | select installdate | fl
0
ei00004Network AdministratorAuthor Commented:
Probably not going to be able to access this info from the O.S., since the entire O.S. itself has been over-written with a new image. I'm thinking that I'm going to need to get this information from the system bios or the hard drive controller. Something that is flagged or changed when the O.S. has been changed.
0
btanExec ConsultantCommented:
It will not be possible if the HDD is totally reformatted and clone back, assuming the formatting is not just quick format but a total completed formating and proper sector clean up prior to cloning...

Normally we need to find traces of such imaging or cloning. Traces of software pertaining to such imaging for enterprise rollout may help but not foolproof if this is standard image rollout for each machine and no uniqueness.  If the latter differ from the base gold image, we may say there is attempt or suspicion only.

if the imaging include windows restore points in MS windows, then we can check through the list - I understand Mandiant has retsore point tool to list out as forensic traces. Also provided those point are enabled. Expanding on it if HDD is attempted to be plugged externally to other system, and prompted to install a new driver for example, a graphics adapter, the restore point will tracked that driver installation. This may be symptoms or traces to delve deeper.

Or maybe activation of licence key online assuming there is some sort of OS GUID required that is unique of the OS and h/w. If it attempts and mentioned it does allow registration despite already done so in the past, will this be an alert as well...maybe

Just few cents
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ei00004Network AdministratorAuthor Commented:
I think you are correct, the only way I can determine the date a computer was imaged or re-imaged is by using the catalog or reports from the computer that does the imaging. ie: Symantec Ghostcast Server or Fog imaging server.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Desktops

From novice to tech pro — start learning today.