tag:blogger.com,1999:blog-6259255761169812061.post374835253347945652..comments2023-08-15T20:48:47.517+10:00Comments on digfor: Window XP and Vista setupapi.logecohttp://www.blogger.com/profile/16825754912128465389noreply@blogger.comBlogger6125tag:blogger.com,1999:blog-6259255761169812061.post-60248697815770609152008-10-27T04:25:00.000+11:002008-10-27T04:25:00.000+11:00Andre:Thanks a million. That's exactly what I was ...Andre:<BR/><BR/>Thanks a million. That's exactly what I was looking for. Ironically, I had come across the Microsoft page you reference, but I didn't see anything usefule there, as I completely missed the Word Document that was available for download. I guess, I should slow down and read things more carefuly, instead of "scanning" a web page... (sad smile)<BR/><BR/>Now, if I can only find out the installation information for the device driver that was installed when a particular USB thumb drive was first connected to the system I'm examining...Phil Rodokanakishttps://www.blogger.com/profile/17663314202364550318noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-24665164389774652452008-10-26T22:12:00.000+11:002008-10-26T22:12:00.000+11:00I guess another way to read the log file is to ope...I guess another way to read the log file is to open it in Notepad++ and select Language as C++ or something similar. This would present the data in a more readable format. One may also try to utilise "User Define Dialog" under "View" option in Notepad++. This would allow setting syntax highlighting specifically for setupapi.dev.log files.ecohttps://www.blogger.com/profile/16825754912128465389noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-40386733995962579652008-10-26T12:36:00.000+11:002008-10-26T12:36:00.000+11:00Phil,Sometime ago Microsoft published a document c...Phil,<BR/><BR/>Sometime ago Microsoft published a document called "Debugging Device Installation in Windows Vista" that explains how to read the logs. Here is the link: http://www.microsoft.com/whdc/driver/install/diagnose.mspx<BR/><BR/>and below is the excerpt from this document. Hope this helps. <BR/><BR/>-----------------------------<BR/><BR/>Basic Structure of the SetupAPI logs<BR/><BR/>The logs are divided into individual sections, one per device install, as follows:<BR/><BR/>Log Header<BR/><BR/>>>> Section header<BR/><BR/> Device Driver install section 1<BR/><BR/><<< End Section<BR/><BR/><BR/><BR/>>>> Section header<BR/><BR/> Device Driver install section 2<BR/><BR/><<< End Section<BR/><BR/><BR/><BR/>>>> Section header<BR/><BR/> Device Driver install section 3<BR/><BR/><<< End Section<BR/><BR/><BR/><BR/>It is useful to search on “>>>” and “<<<” when looking for the beginning and end of a device install operation. <BR/><BR/>Basic Structure of a Log Section<BR/><BR/>Individual steps for install are shown in brackets, with indented details:<BR/><BR/>dvi: {Common Device Properties}<BR/><BR/>dvi: Provider name=Microsoft<BR/><BR/>dvi: DriverVersion=6.0.5340.0<BR/><BR/>dvi: Class name=FloppyDisk<BR/><BR/>dvi: Matching DeviceID=genfloppydisk<BR/><BR/>dvi: {Common Device Properties status SUCCESS}<BR/><BR/><BR/><BR/>inf: {INF Service Section [floppy_install.NT.Services]}<BR/><BR/>inf: AddService=flpydisk,2,flpy_SvcInstSection(flpydisk.inf line 57)<BR/><BR/>dvi: Add Service: Modified existing service 'flpydisk'.<BR/><BR/>inf: {INF Service Section [floppy_install.NT.Services] status SUCCESS}<BR/><BR/>Finding Install Attempts<BR/><BR/>Header/Footer show device instance ID and success/failure of install<BR/><BR/><BR/><BR/>>>> [Device Install (Hardware initiated) - UMB\UMB\1&841921d&0&TSBUS]<BR/><BR/>>>> 2006/03/14 14:49:04.554: Section start<BR/><BR/><BR/><BR/>< body of log data ><BR/><BR/><BR/><BR/><<< 2006/03/14 14:49:07.223: Section end<BR/><BR/><<< [Exit status: SUCCESSecohttps://www.blogger.com/profile/16825754912128465389noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-77990849468997477142008-10-26T12:18:00.000+11:002008-10-26T12:18:00.000+11:00Andre:Thanks for the reply. I'm using EnCase and y...Andre:<BR/><BR/>Thanks for the reply. I'm using EnCase and yes, I can "read" the entries in the log and see some dates. But they're not as clear as the old setupapi.logs were. For example, I can't tell where one log entry starts and where it ends. <BR/><BR/>Is there some king of marker that marks the beginning of a new log entry? <BR/><BR/>I guess, I'm going to have to print out a few pages and try to see if I can decipher any commonalities between the different entries.Phil Rodokanakishttps://www.blogger.com/profile/17663314202364550318noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-36413392087480162692008-10-26T12:08:00.000+11:002008-10-26T12:08:00.000+11:00Hi Phil,I have accessed setupapi.dev.log and setup...Hi Phil,<BR/>I have accessed setupapi.dev.log and setup.app.log files with no problems and I can see the relevant entires like this: "Section start 2008/09/29 19:43:14.453 cmd: C:\Windows\system32\oobe\setup.exe"<BR/>I also used Helix v2 live CD to boot and accessed these logs in read-only mode and viewed these logs in text editor (gedit). Vista Ultimate 64-bit is the operating system I can access right now and I can see the logs with no problems. You can try two things: <BR/>1.Use LiveView and boot the operating system from the image and access the logs this way.<BR/>2.Try to mount your image with Mount Image Pro or Smart Mount on Vista machine and see if you can see the dates in the logs.<BR/>Please let me know if these methods worked.ecohttps://www.blogger.com/profile/16825754912128465389noreply@blogger.comtag:blogger.com,1999:blog-6259255761169812061.post-70533324174903177062008-10-26T09:22:00.000+11:002008-10-26T09:22:00.000+11:00Thanks for the post, it was helpful in locating th...Thanks for the post, it was helpful in locating these files in Vista. However, the format of these logs has changed a lot from the setupapi.log under XP. Have you come across a viewer or other parsing tool that can read these? I can't even see the dates, so they are not pretty helpful in ascertaining when a device was first installed. Any ideas?Phil Rodokanakishttps://www.blogger.com/profile/17663314202364550318noreply@blogger.com