-1

Can we find if our software has been copied in an OS image (windows) and then deployed in another machine. The hardware details do change but it may be due to hardware upgrade or change.

Is there anything at software level which indicates that the OS image has been installed.

P.S the OS install date doesnt change after image deployment.It shows the date of original OS installation date and time and not that of the imaged one.

For example i tried to detect this using service tag,uuid and os install date changes . I thought the hardware and software details combined would result in correct detection. But the os install date dint change and hardware details changed or showed junk value during hardware upgrade . My software will be installed in the os . Then OS will be imaged. I want to detect the imaged installation

dodo
  • 49
  • 8
  • 1
    Do you mean a sysprep-based deployment? The computer SID changes, so you could detect that. – Harry Johnston Aug 15 '14 at 03:57
  • But i am looking at imaging and deployment through other tools. Not just sysprep. Basically looking for some way to detect imaged OS installation. – dodo Aug 15 '14 at 05:07
  • 1
    By definition, the only difference between "imaging" (in the broad sense) and "upgrading the hardware" (also in the broad sense) is that when imaging the operating system is moved to a different hard disk drive. So look for changes in the HDD serial number on the disk containing Windows. But typically either you don't really need to know (unless the SID has changed, perhaps) or certain kinds of false positives are OK. What are you actually trying to achieve? If this is just for licensing, there is wide consensus that you should either use the ethernet address or a dongle. – Harry Johnston Aug 15 '14 at 05:19
  • It is not for licensing. .My software would be installed in windows os and then OS will be imaged .This image will be deployed in 2 more machines. I am trying to make my software in imaged installation to detect that this is a new instance. As i said i tried to use hardware details but they are inconsistent and give false positives. For example in case of virtual machine i am getting same value or junk for hard disk serial number in all machines. – dodo Aug 15 '14 at 05:47
  • There is really no difference between the two methods of deployment, so detecting it doesn't make much sense. What difference should it make to your software whether it is a new installation of the operating system or a reimage? If you want to detect the first time your software is run, create a `FirstRun` file in the AppData directory on the first run, then check for that. – Cody Gray - on strike Aug 15 '14 at 06:01
  • 1
    I don't believe any answer is possible, at least without knowing *why* the software needs to know that it is a new instance. (Looking for changes in the MAC address would probably work reasonably well both for VMs and physical machines, but would of course be subject to occasional false positives. A typical solution to that problem would be for the system administrator to manually remove or merge the extraneous entries.) – Harry Johnston Aug 15 '14 at 06:02
  • @HarryJohnston But i want to automate this task. I m trying to capture some trace of installation. For example if my software is installed on 14th of august .And on 20th of august the OS image is taken along with my software and deployed in another physical or a Virtual machine. If i can detect that OS has been installed after 14th ,i can automate my task. I would like to know if any such trace exist – dodo Aug 15 '14 at 14:55
  • @CodyGray My software would be installed in a OS. After the os is imaged and deployed there will be two copies of my software running in original and imaged one. So i will have both copies reporting same instance details to me. I want the software in imaged one to report it as a new instance. The app data will also be copied in the imaged os. And i am nto clear about how it would help me. – dodo Aug 15 '14 at 15:00

2 Answers2

1

If your software is connected to the Internet this is relatively easy to solve. You arrange to 'call home': send occasional packets to a known server address containing enough information to identify the instance.

For this purpose UDP packets serve quite well. You include information about the build of your software, the operating system it is running on, some simple hardware details such as how much memory and disk, the IP address and the MAC address. From the packets logged by your server you will easily be able to tell an original instance from a clone, or an original with updated hardware in almost every instance. You may also be able to obtain highly distinctive information by a detailed inspection of hardware if you have sufficient privilege.

Please note that Windows does exactly this. If an activated copy is found running on a machine that is sufficiently different then it must be re-activated. The definition of 'sufficiently different' is not made public.

Just to be clear, what I'm describing is a heuristic, not an algorithm. I'll assume the original installation creates a GUID, and that a clone carries the same GUID. When you receive packets from installations with the same GUID containing enough information, in practice you will be able to tell the original from the clone in virtually every case. Two clones may start identical but very soon something will diverge: a network IP address, disk free space, active devices.

This may not fill all the requirements of the original question but it will work (it already does) and it's better than nothing.

david.pfx
  • 10,520
  • 3
  • 30
  • 63
  • But why cant we detect the installation from within the machine.There has to be some sort of OS task done on installation. Like creation of some repository or some log file related to install. Or MBR change . I m looking for any small change. – dodo Aug 15 '14 at 14:03
  • @user3480210: *what* installation? The only case in which there is an installation taking place is when you use sysprep, and you already know how to detect that. If you just clone the disks without using sysprep, Windows has no way to tell any more than your software does. – Harry Johnston Aug 15 '14 at 22:22
  • Consider in particular cloning a VM; the *only* difference between the clone and the original is that the clone has a different MAC address, etc. But that doesn't make it a clone; the same thing might happen, for example, if the VM is redeployed to a different virtual cluster. The *only* difference between "cloning to a different cluster" and "moving to a different cluster" is what the sysadmin is going to do in the future, so unless you've got a crystal ball, it is logically impossible to distinguish the two cases. – Harry Johnston Aug 15 '14 at 22:32
  • I meant the installation of OS .The OS would have been installed i.e. when the OS image is deployed.I would like to find some event or registry entry or log file denoting the same. – dodo Aug 16 '14 at 06:45
  • No, the OS is **not** installed when the OS image is deployed, unless the image was sysprepped. As already discussed, you can detect the deployment of a sysprepped image by the change in the computer SID. **If the image was not sysprepped then no installation takes place during deployment.** – Harry Johnston Aug 16 '14 at 23:35
1

Generate a GUID each time the computer boots, and include both the current GUID and the history of GUIDs previously generated each time you report to the server.

If a machine's report has a GUID missing, then you know the machine has been cloned and at least one new instance should be generated. You can determine when the cloning took place by looking for the last GUID that is remembered by both instances.

To determine which instance to consider "the same machine" as the original, if this matters, look for changes in the MAC address or computer name. If there is exactly one instance where neither of these have changed since the machine was cloned, that can be assumed to be the original. (If there are multiple instances with the same MAC address, something is badly wrong; bring it to the attention of the system administrators and let them sort it out.)

If none of the current instances has a matching MAC address and computer name, this might mean that the original machine has not been powered back up yet but will be eventually, or that it has been destroyed, or that it is permanently offline and only being used as a template. It could also mean that, by coincidence, the computer name and/or MAC address were changed after the machine was cloned but before the next report.

How best to deal with this depends on the context, but in most cases it would probably be sensible to show the original machine as a separate instance, even if you haven't had a report from it since the cloning took place, and let the system administrator manually delete it if appropriate.

Harry Johnston
  • 35,639
  • 6
  • 68
  • 158
  • Thanks for your reply.I have considered similar solution. But i was looking for a solution based on event which would denote that the os has been installed recently. – dodo Aug 16 '14 at 06:46
  • In the general case, there is no such event. In fact, what you're asking for is logically impossible. Some specific technologies used for cloning can be detected, but the method depends on which technology you use. If you want a solution based on an event, you'll need to tell us how the clones are going to be made. – Harry Johnston Aug 16 '14 at 23:26