Get the ORIGINAL install date Windows 10
When analysing a Windows system one wants to know when the system was installed on the machine. Unfortunately with Windows 10 the output from most Software and commands aren't correct anymore.
On my private computer the output of the command "systeminfo" for the original install date is:
With the command "wmic os get installdate" the output is:
I can also take a look directly into the registry under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion:
Value: 0x5aeb2d93 or 1525362067
The value is an epoch stamp in seconds from 1st January 1970, so it means Thu 3 May 2018 15:41:07 UTC
So all three methods give me the same date and time for installation. But this is definitely not correct, my computer was last installed in 2016 as far as I remember correctly.
With Windows 10 the frequent feature updates change the installation date. So I know that on 3 May 2018 the Windows 10 Version 1803 was installed on my computer. Before this I had installed Version 1709.
So how to find the correct install date? -> The registry is your friend.
Windows stores information about every feature update. Also about the upgrade from Windows 7 or 8/8.1 to Windows 10.
In the registry under HKEY_LOCAL_MACHINE\SYSTEM\Setup you can find the necessary information.
In my case I can find the following:
So you can see that there were updates on five different dates. If I want to find the original install date I need to take a look into the earliest update, in my case the one from 2/17/2016.
For the install date I get the following then.
Value: 0x56a40b48 or 1453591368
This means the original install date is Sat 23 January 2016 23:22:48 UTC. That fits my memory for my system.
Also you can find out from what version the system came from:
In my case I have not upgraded from Windows 7 or 8/8.1, so the value shows Windows 10 Pro. Otherwise the name "ProductName" on the earliest key would be Windows 7 or Windows 8 etc.
The registry is your friend. Just look into HKEY_LOCAL_MACHINE\SYSTEM\Setup and there the earliest "Source OS"-key the find the original install date and the original installed Windows version.
And just to mention it:
Currently the output of the forensic software I use isn't correct for the installation date.
The time I wrote this entry I used the follwoing software and versions:
- Magnet Forensics Internet Evidence Finder 6.15 - does show the install date of the last feature update
- Access Data Forensic Toolkit (FTK) 6.4 - does show the install date of the last feature update
- X-Ways Forensics 19.5 (At least in the Registry Report the Update Keys are mentioned, you just need to know what do they mean). So the interpretation of the values and keys is your responsibility