Chris_Ed wrote:
First question that springs to mind - what's the installation date of the OS? If it's significantly different to 24th March then it would more strongly suggest some kind of "log removal" has gone on. Doesn't neccessarily indicate foul play, but..
here's what's at the top of the setupapi.dev.log file
[Device Install Log]
OS Version = 6.1.7601
Service Pack = 1.0
Suite = 0x0100
ProductType = 1
Architecture = amd64
[BeginLog]
[Boot Session: 2014/03/23 19:28:39.637]
>>> [Device Install (Hardware initiated) - USB\VID_090C&PID_1000\1710110000089628]>>> Section start 2014/03/24 08:11:53.546
Here's the top of setupapi.app.log:
[Device Install Log]
OS Version = 6.1.7601
Service Pack = 1.0
Suite = 0x0100
ProductType = 1
Architecture = amd64
[BeginLog]
[Boot Session: 2014/03/19 17:45:10.125]
And the top of setupapi.offline.log:
[Device Install Log]
OS Version = 5.2.3790
Service Pack = 2.0
Suite = 0x0112
ProductType = 3
Architecture = amd64
[BeginLog]
[Boot Session: 2010/11/20 22:06:47.598]
I need to understand more about what the dates in these files really means. In our org, systems are installed from an image.
Chris_Ed wrote:
Does Win7 "Disk Cleanup" count it as something to wipe? It does have a tickbox for "setup log files", although I'm not sure if setupapi counts as a "setup log file" per se.
Just ran it on my system (same version of Win7), with directory listings of C:\Windows before and after (with /s parameter), then compared, only two missing files in second listing are:
c:\windows\setupact.log
c:\windows\setuperr.log
And there's a new one in the second listing:
c:\windows\Logs\CBS\DeepClean.log
HTH
↧