Saturday, June 8, 2019

Windows 10 Install Date - The Real One

When analyzing a Windows 10 System the standard way (well-known way for Windows 7/8/8.1) to get the Install Date of a MS Windows System does not work.

The well-known way for Windows 7/8/8.1


Normally I use two different ways:

1. On a running system I open a terminal (cmd or powershell)

Then I type in "systeminfo"  and find the line"Install Date".
A one liner in powershell would be
systeminfo | sls "Install Date"

And the output is something like:
Original Install Date:     21/01/2019, 17:27:36

2. On a dead system I take a look in the registry for the Install Date
Path: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate
Value is something like: 1548084456
This value is an epoch timestamp from 1970/01/01 00:00. So, the value means Mon, 21 Jan 2019 15:27:36 GMT.
You must be careful when comparing the two values because of the different timezone. There is also a problem with the daylight saving time.
In my case I live in Germany, so I am in timezone UTC+1. This would mean that the Powershell command should output UTC+1 for the Install Date because it is in January. But, because the moment I am writing this post I am in UTC+2 because of the Daylight Saving in Germany the command outputs UTC+2 even if the event (the Installation) happened in UTC+1. It is a bit odd, so be careful.

The way for Windows 10


Now, to come back to my original topic: Windows 10 Install Date.
The thing is, that the output above just shows the Date of the last Major Update of my system. It could be also the Original Install Date if there was no Major Update since last install.

How to recognize this? The registry is our friend:
HKEY_LOCAL_MACHINE\SYSTEM\Setup\

If there are entries like Source OS (Updated on xxxxxxxx) your system has received a major update.
xxxxxxx is the date of the update.
To get the original install date you need to look at the oldest entry of Source OS updated (so the oldest date). Beyond the oldest key you can find a property with the name "Install Date" which shows you the Original Install date.

This also works if you have upgraded e.g. from Windows 8.1. You can find this entry for your original system an can find the install date of it. 

Conclusion

When analyzing a Windows 10-System for the Install Date  one need to look at HKEY_LOCAL_MACHINE\SYSTEM\Setup\ to see if there were any major updates.