Question How To Date Lifespan of a Windows PC?

[Circa 3000]

Hi all,

I have several complete archives from computers I've used over the last couple decades and, for clarity, need to establish when those PCs were used, cradle-to-grave. Windows versions are Windows NT, Windows 2000, Windows XP, and Windows 7. Unfortunately, I didn't use XCOPY to preserve timestamps, so file creation and modification dates are unreliable. And, I'm guessing most Windows logfiles roll over, and probably aren't readable from my current Windows 10 machine anyways.

Surely, there's an ASCII log somewhere that can tell us when Windows was installed? And another to tell us when it was last shut down?

Any assistance is appreciated.

 

[USAFRet]

If you didn't capture that info as time went on, I don't think you can do it retroactively.

And Service Packs (Win7/Vista/XP) are mostly a whole OS reinstall.


Struggling to find the need and use case for this info.

 

[hotaru.hino]

At least for NTFS, there's a volume creation time stamp. But if the OS was installed/reinstalled, that likely got wiped.

 

[Circa 3000]

At least for NTFS, there's a volume creation time stamp. But if the OS was installed/reinstalled, that likely got wiped.

The OS was not reinstalled, per se, but unfortunately, these are backups - not the original hard drives - so yeah, I'm guessing any NTFS metadata was lost.

And Service Packs (Win7/Vista/XP) are mostly a whole OS reinstall.

I didn't realize that. Bummer!

But I still I find it hard to believe there isn't a single file anywhere on a Windows system that is written during install and promptly orphaned. I mean, Microsoft just isn't that meticulous. 😊

Struggling to find the need and use case for this info.

Call it "forensics." It's rare, but every now and then, I must locate a document or date an event from my distant (cough!) past. From memory, I can usually narrow things down to within a year or two, but then I'm staring at a dozen undated system backups. Knowing when each system was in service would be a huge time saver. Admittedly, 'twas not good planning on my part. Thank goodness, it's only happened a few times, but when it does, it's a painful chore.

If there isn't a better solution, I'll just have to bite the bullet and make a general determination from doc modification dates. Ugh.

Thank you, all, for your assistance.

 

[gamerk316]

Stupid idea: Update History? Should be able to get the dates of all installed updates, which should at least give you a ballpark figure.

 

[USAFRet]

Stupid idea: Update History? Should be able to get the dates of all installed updates, which should at least give you a ballpark figure.

Checking my system just now...
Oldest entry in Update history is June 17, 2020

The last actual full OS install was 2017, at the latest. It has been in 24/7 operation since.

 

[Grobe]

If one computer have had it's harddrive since it was brand new, you should be able to grab the hdd s.m.a.r.t. data and at least will be able to see the total hours count, and also the number of power-on.

 

[USAFRet]

If one computer have had it's harddrive since it was brand new, you should be able to grab the hdd s.m.a.r.t. data and at least will be able to see the total hours count, and also the number of power-on.

True, but a drive is not "the PC".

This goes back to - "This is my favorite axe. I've replaced the handle 3 times, and the head twice."
New or same?

Drive POH may be an indication, but nowhere near any forensic investigation.
Currently in my NAS...NAS first stood up in 2017, reconfigured a couple of times since.
On that NAS, there are personal files from Sept 1999.

This, the EXIF from a jpg that lives on the NAS. Has moved through at least half a dozen systems.

 

[Grobe]

This, the EXIF from a jpg that lives on the NAS. Has moved through at least half a dozen systems.

True. If there is a majority of the files that have file stamps as part of the file content itself, there might be a way.

• JPG files (and several other multimedia formats) have exif data or similar, and there are several programs that are able to batch change file modification date so it fits with the exif data. I'd personally use XnView MP for this purpose.
• Files already packed into a zip/7z/rar archive does have the modification date intact (not affected by moving the container file or date tags of container file as long as the container file isn't corrupted).

 

[punkncat]

I think Grobe may be onto something. For instance if the archive backed up user/documents or downloads those would have date info. Should possibly have a package from the initial driver installer .zip, etc and then would like be guessing on the back side of use. This would be, of course, dependent on your not needing that space and leaving such files intact as you updated over the years.

 

[USAFRet]

Right.

There are ways to maybe/probably determine the provenance and original date of a particular file.

There is not a way to retroactively determine the original install date of a particular OS. Unless you did something to capture that date at inception.


I have a Win 10 Pro installed in a VM.
Unactivated, just to test what happens with this over time.
First installed Dec 8 2016, never reinstalled since.
Just the regular WIn 10 updates.

There is a folder within Windows, labeled "CSC" which contains that same Date Modified.
Every other folder in the Windows tree is 2018 or later.

In "ProgramData", the 'Comms' folder has a Modified date of July 16 2016. Not possible.

 

[Circa 3000]

Thanks for your suggestions, everyone!

Here's what I've discovered so far:

File Modification Dates are mostly unreliable because there's no telling whether or not a doc was modified on the computer it presently resides on. For example, most of the docs on my current computer predate it by many years.

On the other hand, file Creation Dates are telling because they're updated when we copy our docs from one (old) computer to the next. As such, a preponderance of matching Creation Dates suggests when the computer was initialized or, at least, when the user got around to copying over all of his/her docs from a previous computer.

Unfortunately, my "backups" are straight file copies (sorta stupid, I know) and all the Creation Dates got overwritten yet again.

On the bright side, these standard Windows directories have proven to be helpful:

• C:\Users\<username>\Desktop
• C:\Users\<username>\Downloads

[Older Windows versions put these directories in slightly different places.]

Desktop is great, because it reveals when the shortcuts for your favorite applications were installed. Typically, there's a preponderance of matching Modification Dates that coincide with the setup of the new computer. Determining EOL is a bit less definite, but usually accurate to within a month or two and can be verified against the Modification Date of other docs, now that we know what timeframe we're dealing with. Downloads is almost as reliable, but only if you haven't emptied it. In my experience, the range of Downloads dates fits neatly within the Desktop dates, plus or minus only a month or two, which is solid validation, and close enough for my purposes.

In a pinch, DirectX.log has been helpful. It shows every time DirectX was installed and updated. And, like Downloads, I discovered a surprising number of Temp directories that were never cleaned out. 😊 Talk about rewarding bad behavior.

I can't help but believe there are some popular applications (e.g., web browsers) with useful logfiles or other timestamps, but so far, I haven't found any. If you find any, please share!

I hope this is helpful.

Thanks again!

 

[USAFRet]

Further on this...

I have a brand new Win 11 install. 11 Oct 2011.
From a Win 11 USB created yesterday, 11 Oct 2021.

Only 2 aftermarket applications installed, Speccy and Macrium Reflect.


Looking through the C drive, In the Windows folder, I see subfolders with a Modified date of June 5 2021, Sept 13 2021....
Multiple others from Oct 11, 2021.

The June 5 2021 date is long before Win 11 was available anywhere outside of the internal Microsoft dev environment, and long before my USB was created with the official MCT on Oct 11.


So...2 years from now, what date should one look at to determine the original date of this OS and system?
June 5
Sept 13
Oct 11 (actual date when this system was stood up)

The Users subfolder might be the place you want to look.
The first account created will (probably) have a Date Modified value of when the OS was installed.
Of course, a subsequent Admin account could have deleted that original account, invalidating that Date thing.

 

[Circa 3000]

Yeah, that's what I've noticed too and all but given up on folders. Their Modification Dates blow with the wind and with inconsistent results. For example, copy a folder full of subfolders to your NAS and 90% will update their Modification Dates while the rest don't. Do it again, and a different selection of folders will do the same thing. Ghost in the machine?

And I have an active discussion on the Synology forums about this very topic - why are folder dates lost when uploading with XCOPY or ROBOCOPY to a NAS drive with all the proper 'preserve file/folder metadata' options? [A: It's apparently cuz the NAS is running BTFS - not NTFS - and that's what happens when you go from one OS to another. No workaround either, apparently.]

What you're seeing on your clean install of Win 11 isn't new - it reminds me of the old days when Microsoft stamped every OS file with a matching Modification Date (regardless of when the files were actually installed). It was sorta nice cuz you could instantly tell which files were hands-off, while AUTOEXEC.BAT, CONFIG.SYS, WIN.INI, etc., were obvious candidates for manual tweaking. "Let's make a 10 Mb RAM Drive! Cool!!!"

You might be onto something with the Users subdirectory. Unfortunately, all of my folder timestamps were overwritten by my XOPY "backup," but there's also this:

1. In \Users\<username>\, there's an NTUSER.DAT file whose Modified Date appears to be the last day the system was used (just a few days after the EOL date I had previously assumed)
2. There's also an NTUSER.DAT.LOG1 file (256KB) with the same Modified Date as NTUSER.DAT
3. There's also an NTUSER.DAT.LOG2 file (0 KB) with, surprisingly, a Modified Date that exactly matches the 'Birthday' I had previously determined from files in the Users\<username>\Desktop folder

Good find!

 

[Ralston18]

Perhaps Powershell:

https://shellgeek.com/powershell-how-to-get-file-creation-date/

https://www.pdq.com/blog/using-get-childitem-find-files/

Likely any number of caveats involved. However no harm, I think, in giving the "Get"s a try.

 

[rtp]

Have you been using the same web browser since the install? Is it Firefox by any chance? If you click "Help > More Troubleshooting Information" you can scroll down to "Profile folder" and see where your user profile is. FYI, it's C:\Users\username\AppData\Roaming\Mozilla\Firefox\Profiles\anIDstring. For some reason, mine has both "blah.default-release" and "blah.release" and I don't know which is which and right now I don't care. Mine both have the same creation date and it makes sense. (If you have uninstalled and reinstalled this may still help if it began with the same old profile.)

I imagine many other browsers do the same thing.