How to get device installation date?

Hi,

is there a reliable way to find out, when a device and/or a driver has been installed on a system? Should work XP+,…

TIA

K.

xxxxx@arcor.de wrote:

is there a reliable way to find out, when a device and/or a driver has been installed on a system? Should work XP+,…

Not in the general case, no. If you can find the INF file in
\Windows\INF, there will be a file with a PNF file. That file is
created when the INF is installed, and every time the INF changes, so
it’s date could be useful. However, the PNFs are volatile – you can
erase them all, and the system will just recreate them. Most users
don’t do that, of course.

If the installation was recent enough, you can look in setup log
(\windows\setupapi.log in XP, \windows\inf\setupapi.dev.log in Vista+).


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

Thanks Tim,…

Too bad there is no registry information related to the creation date of the keys. The only thing you can query is the last access/change information but this is not really helpful here…this would be a pretty reliable way to query that kind of information,…

best

K.

wrote in message news:xxxxx@ntdev…
> Hi,
>
> is there a reliable way to find out, when a device and/or a driver has
> been installed on a system? Should work XP+,…
>

By parsing setupapi* logs. (also have a look at Win8 preview, it has some
interesting innovations in device properties).
– pa

Hi Pavel,

By parsing setupapi* logs.

if they still exist on the system! Like the *.PNF files they can be deleted witjout any trace.

also have a look at Win8 preview, it has some interesting innovations in device properties

BTW: Win8 64 Prev,…never again, until its “safe”. I accessed a NTFS partiton from a live system and for whatever reason it corrupted (after working with it for some days) the complete FS in a way it could not be repaired or read from anymore. Dont ask me how this happended, because i cant tell you. Even the $MFT + Backup had been destroyed and the drive comtent (fortunately a full backup was available) could not be recovered. At first i thoiugth some hard error, but after a full scan and SMART info, the drive was in 100% health state. So i cam to the conclusion that it was done by Win8, because it happended a second time on a different drive! Win8 (64-Bit),…DevPrev was a BAD experience for me!

Yes, i have seen them, the new tab with the events, but where is it documented?

Thanks for the info,…

K.

In user space, there is RegEnumKeyEx, which returns the date the key was
last written. Presumably if you write a key during installation, say
InstallDate, which is never read or updated (and whose value is
irrelevant, but might be the text form of a timestamp, which could be
localized, since it would not be used), then you should be able to find
that out. I have not looked to see if there is a kernel equivalent of
this functionality. Perhaps other keys which you set at installation and
which should never be modified could serve this purpose as well.

joe

Thanks Tim,…

Too bad there is no registry information related to the creation date of
the keys. The only thing you can query is the last access/change
information but this is not really helpful here…this would be a pretty
reliable way to query that kind of information,…

best

K.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at
http://www.osronline.com/page.cfm?name=ListServer

wrote in message news:xxxxx@ntdev…
> Hi Pavel,
>
>> By parsing setupapi* logs.
>
> if they still exist on the system! Like the *.PNF files they can be
> deleted witjout any trace.

Back them up or protect, if they are valuable for you, like any other
valuable file.

>>also have a look at Win8 preview, it has some interesting innovations in
>>device properties
>
> BTW: Win8 64 Prev,…never again, until its “safe”. I accessed a NTFS
> partiton from a live system and for whatever reason it corrupted (after
> working with it for some days) the complete FS in a way it could not be
> repaired or read from anymore. Dont ask me how this happended, because i
> cant tell you. Even the $MFT + Backup had been destroyed and the drive
> comtent (fortunately a full backup was available) could not be recovered.
> At first i thoiugth some hard error, but after a full scan and SMART info,
> the drive was in 100% health state. So i cam to the conclusion that it was
> done by Win8, because it happended a second time on a different drive!
> Win8 (64-Bit),…DevPrev was a BAD experience for me!

This happened to me too: I wanted to try the native USB3 and connected a
bootable XP disk to “win8” over USB3 adapter.
It worked nice, but then I’ve plugged it back to SATA and could not boot off
it, the XP partition looked as corrupt.
In Win7 WinPE this partition would not mount too.
Then connected it to another Win7 x64 machine over sata - and suddenly it
recognized this partition and all data was intact.
(not tried to make it bootable again yet, though)

Regards,
– pa

@ Joe - Yes, this was also my first attempt, but i need to find the “real” creation date of the key or any data that gives me the information. Well, i will finalyl use a combination of all the possible solutions to make it as reliable as possible. But i know that there will be a chance to get false information. The systems i am examining are not created/installed by me, so i dont have achance to filter or monitor anything.

best

K.

> This happened to me too:

@ Pavel - What could have done this? Possibly the NTFS driver or any other driver accessing the device?