Windows System Software -- Consulting, Training, Development -- Unique Expertise, Guaranteed Results

Before Posting...
Please check out the Community Guidelines in the Announcements and Administration Category.

How to get device installation date?

OSR_Community_UserOSR_Community_User Member Posts: 110,217
Hi,

is there a reliable way to find out, when a device and/or a driver has been installed on a system? Should work XP+,...


TIA

K.

Comments

  • Tim_RobertsTim_Roberts Member - All Emails Posts: 13,200
    [email protected] wrote:
    > is there a reliable way to find out, when a device and/or a driver has been installed on a system? Should work XP+,...

    Not in the general case, no. If you can find the INF file in
    \Windows\INF, there will be a file with a PNF file. That file is
    created when the INF is installed, and every time the INF changes, so
    it's date could be useful. However, the PNFs are volatile -- you can
    erase them all, and the system will just recreate them. Most users
    don't do that, of course.

    If the installation was recent enough, you can look in setup log
    (\windows\setupapi.log in XP, \windows\inf\setupapi.dev.log in Vista+).

    --
    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

    Tim Roberts, [email protected]
    Providenza & Boekelheide, Inc.

  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Thanks Tim,...

    Too bad there is no registry information related to the creation date of the keys. The only thing you can query is the last access/change information but this is not really helpful here...this would be a pretty reliable way to query that kind of information,...

    best

    K.
  • Pavel_APavel_A Member Posts: 2,691
    <[email protected]> wrote in message news:[email protected]
    > Hi,
    >
    > is there a reliable way to find out, when a device and/or a driver has
    > been installed on a system? Should work XP+,...
    >

    By parsing setupapi* logs. (also have a look at Win8 preview, it has some
    interesting innovations in device properties).
    -- pa
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    Hi Pavel,

    > By parsing setupapi* logs.

    if they still exist on the system! Like the *.PNF files they can be deleted witjout any trace.

    >also have a look at Win8 preview, it has some interesting innovations in device properties

    BTW: Win8 64 Prev,...never again, until its "safe". I accessed a NTFS partiton from a live system and for whatever reason it corrupted (after working with it for some days) the complete FS in a way it could not be repaired or read from anymore. Dont ask me how this happended, because i cant tell you. Even the $MFT + Backup had been destroyed and the drive comtent (fortunately a full backup was available) could not be recovered. At first i thoiugth some hard error, but after a full scan and SMART info, the drive was in 100% health state. So i cam to the conclusion that it was done by Win8, because it happended a second time on a different drive! Win8 (64-Bit),...DevPrev was a BAD experience for me!

    Yes, i have seen them, the new tab with the events, but where is it documented?

    Thanks for the info,...

    K.
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    In user space, there is RegEnumKeyEx, which returns the date the key was
    last written. Presumably if you write a key during installation, say
    InstallDate, which is never read or updated (and whose value is
    irrelevant, but might be the text form of a timestamp, which could be
    localized, since it would not be used), then you should be able to find
    that out. I have not looked to see if there is a kernel equivalent of
    this functionality. Perhaps other keys which you set at installation and
    which should never be modified could serve this purpose as well.

    joe


    > Thanks Tim,...
    >
    > Too bad there is no registry information related to the creation date of
    > the keys. The only thing you can query is the last access/change
    > information but this is not really helpful here...this would be a pretty
    > reliable way to query that kind of information,...
    >
    > best
    >
    > K.
    >
    >
    > ---
    > NTDEV is sponsored by OSR
    >
    > For our schedule of WDF, WDM, debugging and other seminars visit:
    > http://www.osr.com/seminars
    >
    > To unsubscribe, visit the List Server section of OSR Online at
    > http://www.osronline.com/page.cfm?name=ListServer
    >
  • Pavel_APavel_A Member Posts: 2,691
    <[email protected]> wrote in message news:[email protected]
    > Hi Pavel,
    >
    >> By parsing setupapi* logs.
    >
    > if they still exist on the system! Like the *.PNF files they can be
    > deleted witjout any trace.

    Back them up or protect, if they are valuable for you, like any other
    valuable file.

    >>also have a look at Win8 preview, it has some interesting innovations in
    >>device properties
    >
    > BTW: Win8 64 Prev,...never again, until its "safe". I accessed a NTFS
    > partiton from a live system and for whatever reason it corrupted (after
    > working with it for some days) the complete FS in a way it could not be
    > repaired or read from anymore. Dont ask me how this happended, because i
    > cant tell you. Even the $MFT + Backup had been destroyed and the drive
    > comtent (fortunately a full backup was available) could not be recovered.
    > At first i thoiugth some hard error, but after a full scan and SMART info,
    > the drive was in 100% health state. So i cam to the conclusion that it was
    > done by Win8, because it happended a second time on a different drive!
    > Win8 (64-Bit),...DevPrev was a BAD experience for me!

    This happened to me too: I wanted to try the native USB3 and connected a
    bootable XP disk to "win8" over USB3 adapter.
    It worked nice, but then I've plugged it back to SATA and could not boot off
    it, the XP partition looked as corrupt.
    In Win7 WinPE this partition would not mount too.
    Then connected it to another Win7 x64 machine over sata - and suddenly it
    recognized this partition and all data was intact.
    (not tried to make it bootable again yet, though)

    Regards,
    -- pa
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    @ Joe - Yes, this was also my first attempt, but i need to find the "real" creation date of the key or any data that gives me the information. Well, i will finalyl use a combination of all the possible solutions to make it as reliable as possible. But i know that there will be a chance to get false information. The systems i am examining are not created/installed by me, so i dont have achance to filter or monitor anything.

    best

    K.
  • OSR_Community_UserOSR_Community_User Member Posts: 110,217
    > This happened to me too:

    @ Pavel - What could have done this? Possibly the NTFS driver or any other driver accessing the device?
Sign In or Register to comment.

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Upcoming OSR Seminars
Writing WDF Drivers 21 Oct 2019 OSR Seminar Space & ONLINE
Internals & Software Drivers 18 Nov 2019 Dulles, VA
Kernel Debugging 30 Mar 2020 OSR Seminar Space
Developing Minifilters 27 Apr 2020 OSR Seminar Space & ONLINE