How to detect reimaged (sysprepped) OS?
has anyone the knowledge how microsoft may detect a reimaged oem version?
Registry entries, files on filesystem (logs etc.) or other hidden places?
Look for setupact.log and setuperr.log files under the following paths:
Additional log from this post: https://forums.fogproject.org/post/96860
But now, i know all sysprep logs … :
setupact.log in Windows folder
setupact.log in Windows\Panther folder
setupact.log in Windows\Panther\unattendGC folder
setupapt.dev in Windows\inf
setupapt.offline in Windows\inf
setuperr in Windows\Panther …
Sysprep places the date and time the image was prepared for duplication in the key HKEY_LOCAL_MACHINE\System\Setup\CloneTag.
Look in the HKEY_LOCAL_MACHINE\System\Setup registry key for a cmdline that reads Setup -newsetup -mini. This places GUI-mode Setup in the Mini-wizard phase.
Check for an HKEY_LOCAL_MACHINE\System\SetupOemDuplicatorString value. This is added using an answer file (Sysprep.inf) for the Mini-Setup Wizard.
Check for the existence of Setupcl.exe. This is the file that changes the Security IDs (SIDs) on the system. Look in the %SystemRoot%\System32 folder for this file.