• Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login
  • Recent
  • Unsolved
  • Tags
  • Popular
  • Users
  • Groups
  • Search
  • Register
  • Login

How to detect reimaged (sysprepped) OS?

Scheduled Pinned Locked Moved Unsolved
General
1
3
1.4k
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • X
    x23piracy
    last edited by x23piracy Jun 21, 2017, 7:52 AM Jun 21, 2017, 1:52 PM

    Hi,

    has anyone the knowledge how microsoft may detect a reimaged oem version?
    Registry entries, files on filesystem (logs etc.) or other hidden places?

    Regards X23

    ║▌║█║▌│║▌║▌█

    1 Reply Last reply Reply Quote 0
    • X
      x23piracy
      last edited by x23piracy Jun 21, 2017, 8:54 AM Jun 21, 2017, 2:50 PM

      http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/AdminTips/Applications/IdentifysystemsclonedwiththeSyspreputility.html

      https://social.technet.microsoft.com/Forums/windows/en-US/b942a34d-c4a7-489c-bb01-45dd65fa9b20/setuptype-and-cmdline-at-hkeylocalmachinesystemsetup?forum=itproxpsp

      Sysprep places the date and time the image was prepared for duplication in the key HKEY_LOCAL_MACHINE\System\Setup\CloneTag.

      Look in the HKEY_LOCAL_MACHINE\System\Setup registry key for a cmdline that reads Setup -newsetup -mini. This places GUI-mode Setup in the Mini-wizard phase.

      Check for an HKEY_LOCAL_MACHINE\System\SetupOemDuplicatorString value. This is added using an answer file (Sysprep.inf) for the Mini-Setup Wizard.

      Check for the existence of Setupcl.exe. This is the file that changes the Security IDs (SIDs) on the system. Look in the %SystemRoot%\System32 folder for this file.

      ║▌║█║▌│║▌║▌█

      1 Reply Last reply Reply Quote 0
      • X
        x23piracy
        last edited by Jun 21, 2017, 3:43 PM

        Look for setupact.log and setuperr.log files under the following paths:

        C:\Windows\Panther
        C:\Windows\Panther\UnattendGC
        C:\Windows\System32\sysprep\Panther

        Additional log from this post: https://forums.fogproject.org/post/96860

        But now, i know all sysprep logs … :

        cbs.log
        setup.etl
        session.xml
        setupact.log in Windows folder
        setupact.log in Windows\Panther folder
        setupact.log in Windows\Panther\unattendGC folder
        setupapt.dev in Windows\inf
        setupapt.offline in Windows\inf
        setuperr in Windows\Panther …

        ║▌║█║▌│║▌║▌█

        1 Reply Last reply Reply Quote 0
        • 1 / 1
        1 / 1
        • First post
          1/3
          Last post

        264

        Online

        12.0k

        Users

        17.3k

        Topics

        155.2k

        Posts
        Copyright © 2012-2024 FOG Project