1

Are there any ways to reliably determine that a Windows laptop has been booted for the first time?

I do no trust the system log, and so am hoping there may be certain files or other data (or an absence of), that would reliably serve as evidence the machine has not been booted in any way previously.

edit for clarification purposes

Thanks for replying everyone. Apologies for late response (lack of mobile data).

Basically, I am in a tricky scenario. I fear someone malicious I lived with may have tampered with a laptop I have bought. I fear they may have infected the machine with a spyware worm/ virus/ malware - after it had been unboxed as new and before ( I ) turned it on for the first time (about two weeks had passed in this time). I fear it may have been turned on by this person, such that the machine may have started up and reached the ‘setup/ install process’ [pease see (1) for an attempt at a description, to define what I mean by this state].

The laptop came “with Windows 10 already on the machine” - it did not come with any disks, I did not buy Windows 10 separately, so I expect this means it is (in some sense) “preinstalled” - I assume since Windows started up something (please see (1)) - I assume the os was already present in full, the file system also must have been already present - and thus, crucially, though the desktop wasn’t reached until (1) had been completed, and the system (if it had been turned on by the malicious attacker) wold have presented only the ‘setup process’ (1), —> I assume the OS and file system was installed, established and running at this time - such that if a USB stick with malware able to infect (after just insertion into USB port) —> would take hold - just as it would, if it were inserted after (1) - after the first user account had been setup and it were in a state such that the desktop were visible.

Thus by this I mean, I assume the OS would be as susceptible to malware when turned on for the first time at reaching (1), as when (1) were completed and the system was in the state such that the desktop were visible - since, in response to the request for clarification, I assume (1) would describe a fully installed (but not ‘setup’) OS. - and thus my question relates to whether from this state (1), there are any signs I may be able to look for that would reliably indicate whether the system had been powered up and reached (1) before I had myself done so.

This is because it would allow me to eliminate the feared usb insertion as a possibility, if I could tell for certain that it had not started up to reach (1) before I had.

(1) - By “setup” or “install” I am trying to describing the state the machine arrived at after being switched on (for the first time - i hope ). Since “install” and “setup” are very specific terms, rather than try to name the process I am describing, I thought perhaps I should describe the experience to identify it. Please find below:

After the power button being pressed I was presented with some combination of (I think from what I recall) a HP logo and a circular wait cursor for a restively short time. Following this I was asked to respond to a short series questions relating to things such as: what data Cortana might send to Microsoft, whether I wish for my location data to be made available to applications, whether I would like to send data to receive more targeted tips and adverts, accepting licence conditions etc; before progressing to take the details to set up my user account: username, password, password recovery questions.

Following supplying the previous a short amount of time passed before the desktop was presented for the first time and it seemed the process had completed.

I did not think this resembled “installation” as I would imagine it - no references to partitioning was made; no references to the configuration of a file system were made; in fact there was no technical in the entire process. Furthermore the whole process seemed to be too quick for a full install (especially considering it has a hard disk rather than a SSD) - which together leads me to suspect that the file system must have been mostly already in existence and OS image must have been complete and operational.

Thus where I refer to a ‘setup process’, I am intending to describe the above.

(Additionally, this crucially leads me to suspect the OS was already in a condition ready and able to be infected with a malware program.)

CompCat
  • 379
  • 3
  • 6
  • To clarify, when I say booted, I mean switched on as an unboxed laptop and reached the beginning of the “setup” process. Also, by setup process, I mean where Windows asks you for the privacy settings and requires you to provide your account name, password and 3 question recovery questions, before reaching the desktop for the first time. – CompCat May 21 '19 at 18:07
  • 1
    Additional clarification would help I think. Windows can be installed any number of times from media on a given device to an out-of-box state and a running image of Windows can be `sysprep`'ed back to OOB. – Steve May 21 '19 at 18:22
  • There is nothing to tell you that the hardware has never been booted before. Windows can be installed any number of times. Who are you concerned about booting it up? The manufacturer? – schroeder May 21 '19 at 19:50
  • @CompCat If all of your questions here are about this single concern, then trying to delve into what could have happened is not going to be helpful. Just format and reinstall Windows. This is what you need to do: https://security.stackexchange.com/questions/138606/help-my-home-pc-has-been-infected-by-a-virus-what-do-i-do-now – schroeder May 22 '19 at 16:30

1 Answers1

0

Given the edit--

What you're describing is called the Windows Out-of-Box-Experience (OOBE). The device manufacturer installed Windows on your machine and left it in a state that is basically post-file copy, pre-personalization. This is by design so users don't have to mess with the technical goop of figuring out where things should be installed.

With that said, your fear cannot easily be validated. If an attacker has access to the machine they can walk it through OOBE, install stuff, and then do a sysprep which reset's the machine so the next boot takes you through OOBE again -- this is what manufacturers do and it's how they get their custom apps on the machine out of the box.

If you're genuinely concerned someone did this to you there's no good way to check because this entire process assumes some level of trust about who controls the device before personalization. So given that, if you still don't trust the machine you need to wipe it and install the OS from scratch.

Steve
  • 15,215
  • 3
  • 38
  • 66
  • Much appreciated. It’s just I have reason to believe the attack (if it occurred) would be in the form of a previously used malware program, which if it were the same program (and I strongly believe it would be), would not involve in its actions an attempt to reset the machine so the next boot would take me through OOBE again, through say a sysrep. It had previously been used on the desktop of a previous machine and gave no indication. – CompCat May 22 '19 at 16:37
  • In such a case, if I could rule out the possibility of the malware returning the machine to OOBE, might there be any clues as to whether the machine had been switched on before, reaching (what I think I understood to be) the personalisation stage? – CompCat May 22 '19 at 16:42
  • Not conclusively. Any runtime data will be wiped so as to make it look new, and any malware that's smart enough to embed itself can modify the data. – Steve May 22 '19 at 16:57
  • I see. It’s just in this scenario the malware was not intended to infect at OOBE, rather to infect a system already established (rather than considering specifically a system at OOBE). I expect it to cover its tracks, but I wouldn’t expect this particular program to disguise system startup and shutdown and any artefacts associated with that. In that light might there be scope? – CompCat May 22 '19 at 19:27
  • That's impossible to answer without a forensic analysis of the machine. – Steve May 22 '19 at 23:12