How to detect reimaged (sysprepped) OS?

x23piracy

Hi,

has anyone the knowledge how microsoft may detect a reimaged oem version?
Registry entries, files on filesystem (logs etc.) or other hidden places?

Regards X23

x23piracy

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/Applications/IdentifysystemsclonedwiththeSyspreputility.html

https://social.technet.microsoft.com/Forums/windows/en-US/b942a34d-c4a7-489c-bb01-45dd65fa9b20/setuptype-and-cmdline-at-hkeylocalmachinesystemsetup?forum=itproxpsp

Sysprep places the date and time the image was prepared for duplication in the key HKEY_LOCAL_MACHINE\System\Setup\CloneTag.

Look in the HKEY_LOCAL_MACHINE\System\Setup registry key for a cmdline that reads Setup -newsetup -mini. This places GUI-mode Setup in the Mini-wizard phase.

Check for an HKEY_LOCAL_MACHINE\System\SetupOemDuplicatorString value. This is added using an answer file (Sysprep.inf) for the Mini-Setup Wizard.

Check for the existence of Setupcl.exe. This is the file that changes the Security IDs (SIDs) on the system. Look in the %SystemRoot%\System32 folder for this file.

x23piracy

Look for setupact.log and setuperr.log files under the following paths:

C:\Windows\Panther
C:\Windows\Panther\UnattendGC
C:\Windows\System32\sysprep\Panther

Additional log from this post: https://forums.fogproject.org/post/96860

But now, i know all sysprep logs … :

cbs.log
setup.etl
session.xml
setupact.log in Windows folder
setupact.log in Windows\Panther folder
setupact.log in Windows\Panther\unattendGC folder
setupapt.dev in Windows\inf
setupapt.offline in Windows\inf
setuperr in Windows\Panther …