RE: Checking when the OS was first installed

[<Salvador.Manaois () infineon com>]

A malicious hacker could easily "touch" these system files to change
their timestamps. If the computer is a member of the domain, there is
information on the computer account's oject properties that describes
when the computer account was created (either pre-created by an
administrator prior to the actual installation, or was created during
the actual installation of OS on the computer itself). 

...badz...

rants: http://www.rancidroot.blogspot.com

-----Original Message-----
From: Hostas.lt [mailto:klientai () hostas lt] 
Sent: Tuesday, May 31, 2005 9:24 PM
To: security-basics () securityfocus com
Subject: Re: Checking when the OS was first installed


> On 2005-05-29 Lubrano di Ciccone, Christophe (DEF) wrote:
> > The date of the boot.ini file or the winnt folder (%systemroot%) may 
> > help you.
>
> Maybe, but since it's the configuration file for the bootloader, it is

> prone to changes, so this seems very unreliable to me.
>
> Regards
> Ansgar Wiechers
> --
> "All vulnerabilities deserve a public fear period prior to patches 
> becoming available." --Jason Coombs on Bugtraq

There are system.sav and software.sav files in Windows\System32\Config 
which are
dated the system installation time.