How well do you know XP??

  • Thread starter Thread starter Guest
  • Start date Start date
G

Guest

Hello reader.

Could you please tell me wheather its possible, and how, to check through XP
if RAM was removed form my PC what date it was removed?

I handed my pc to a computre shop and I noticed a week lated that 256 mb of
ram was missing.

I would like to know if XP would have logged or recored the change somewhere
with a date and time it was removed?

Thank in advance for your help.
Regards
 
FWIW I don't think you have to prove how much "was" in there i.e. if you
knew how much RAM was in the thing, you simply need to speak to them. It
could be a simple mistake. If they're honest, i.e. a simple mistake,
perhaps they swappped memory out during fault finding and, whilst a bit
shoddy / it's easily done, perhaps they forgot to put yours back in.

What was on the bill ? ...did the shop bill you for memory ? - perhaps they
found faulty memory ?

I can't believe a "computer" shop would risk reputation damage for a few
quids worth of memory !

regards, Richard
 
Hello reader.

Could you please tell me wheather its possible, and how, to check through XP
if RAM was removed form my PC what date it was removed?

I handed my pc to a computre shop and I noticed a week lated that 256 mb of
ram was missing.

I would like to know if XP would have logged or recored the change somewhere
with a date and time it was removed?

Thank in advance for your help.
Regards
Click to expand...

XP does not record the amount of RAM installed nor does it "track"
it. RAM does not seem to be part of the Product Activation routine.

You need to access the PC's BIOS in order for you to double check to
see if the PC is detecting the full RAM amount. If it does then you
will need to check your XP "software" in order to see where the RAM is
being used up.

BTW: Does your PC have a "motherboard" based video card? If it does,
then you may have a mis-configured video RAM setting in the BIOS.
 
You do not indicate whether you opened the machine up to see if the RAM is
indeed missing. Also, when and if you do make sure the RAM is seated
properly in its socket. Press the RAM firmly into the socket so that the
side locks are snapped closed .
 
Costa said:
Hello reader.

Could you please tell me wheather its possible, and how, to check through XP
if RAM was removed form my PC what date it was removed?

I handed my pc to a computre shop and I noticed a week lated that 256 mb of
ram was missing.

I would like to know if XP would have logged or recored the change somewhere
with a date and time it was removed?

Thank in advance for your help.
Regards
Click to expand...

Executive summary:

Without additional software, generally speaking, you cannot track the
inventory of hardware components inside the computer.

Your BIOS has a couple features, which are intended to help with such issues.
But they are not "forensic" in nature, and are not intended to convict
someone in a court of law. The BIOS features are there, to be used in
conjunction with third party software.

The first, and simple BIOS feature, is "intrusion detection". Some computers
have a switch on the cover of the computer case. If the cover of the computer
case is removed, the switch detects that fact. When you next start the BIOS,
the BIOS will put a message on the screen, stating that the cover has been
removed. That would be evidence, that the computer has been tampered with.

That does not help in your case, because you already know someone was inside
the computer, doing maintenance work on it.

The second BIOS mechanism, is the DMI table. DMI and ESCD are storage areas
inside the BIOS flash chip. Those ares contain an inventory list, of hardware
known to be in the computer. Each time you start the computer, the BIOS compares
the contents of the DMI list, against the hardware detected during POST. If
the hardware has changed, the BIOS code will flash upgrade the DMI and ESCD
tables in the flash chip.

Say for example, that yesterday the computer had three sticks of RAM. The DMI
table would show three sticks. Now, today, you remove a stick. During POST,
the BIOS compares the DMI, against the fact that there are only two sticks.
The BIOS then updates the DMI table, to show only two sticks. The DMI table
is only updated, if the hardware inventory of the computer has changed.

The purpose of the DMI, is to support computer utility programs. For example,
in a large corporation, every night, a program on the users computer, copies
the DMI table, and sends it to a central server. Thus, the server has a very
large database, that shows the hardware contents of the machine, collected
on a daily basis. For the example computer above, yesterday's DMI would show
three sticks, today's DMI would show two sticks, and you could conclude that
a stick was removed last night. By using the utility program and a central
server, you could tell a stick went missing overnight.

Using a computer program that accesses the DMI table, and records it every
day, is how you detect a change in hardware inventory. But that is virtually
useless for proving where the stick of RAM went.

Unless you had a program that copied the DMI every day, you would not be
able to detect a change in the DMI. If you read out the DMI today, it
will reflect the hardware contents of the computer today. If the DMI recorded
a date, when the DMI was last updated, that would give you a hint, but I
don't think it works that way.

Even if the DMI table contained a date, as to the last time the BIOS updated
the table, that still won't help you. As the technicians are working on
your computer, they could make innocent changes to the machine, that caused
the DMI table to be updated. The DMI table could get updated, as hardware
is removed and put back, during their testing.

Purely to demonstrate what the DMI records, get the Everest program
from here.

"EVEREST Free Edition 2.20"
http://majorgeeks.com/download4181.html

Install the program, and start it. From the menu, select "Report" then
"Report Wizard". Click "Next" in the first window. Click "Hardware-related
pages". Click "Next". Click "Plain Text". Click "Finish".

After a minute, a page of text will appear as the "Report". Scroll the window
down. All the text between these two headers, is the contents of the DMI table
from the BIOS flash chip.

--------[ DMI ]---------
--------[ Overclock ]----------

This is part of the DMI table from my computer. My computer has four DIMM
slots. The DMI did manage to record that I have 2x512MB in slot A2 and B2.

[ Memory Modules / DIMM A1 ]

Memory Module Properties:
Socket Designation DIMM A1
Installed Size Not Installed
Enabled Size Not Installed

[ Memory Modules / DIMM A2 ]

Memory Module Properties:
Socket Designation DIMM A2
Type DIMM, SDRAM
Installed Size 512 MB
Enabled Size 512 MB

[ Memory Modules / DIMM B1 ]

Memory Module Properties:
Socket Designation DIMM B1
Installed Size Not Installed
Enabled Size Not Installed

[ Memory Modules / DIMM B2 ]

Memory Module Properties:
Socket Designation DIMM B2
Type DIMM, SDRAM
Installed Size 512 MB
Enabled Size 512 MB

My BIOS did not manage to record the serial numbers of the DIMMs, even
though, in fact, my Crucial memory does have a unique serial number in
each DIMM. That is one of the problems with DMI, is quite inaccurate
recording of hardware inventory. Many BIOS designs prepare bad DMI
tables, and much of the information in the DMI table is nonsense.
This is why hardly anyone relies on DMI, for their information.

If you use software which logs the DMI table every day, and stores
it away, *THEN* you can detect missing hardware. But that is still
not proof of where the missing hardware went.

Paul
 
RJK,

Thank you very much for reply.

The computer belongs to a friend of mine and I suggested he make a copy of
his purchase invoice and take it back to the store which he suspects took the
ram.

He took his pc to two places for different repairs.

Again, I appreciate your help.

Best Regards
 
Dear Paul,

A big thank you for your detailed reply.

The computer belongs to a friend of mine and I suggested he make a copy of
his purchase invoice and take it back to the store which he suspects took the
ram.
He took his pc to two places for different repairs.

I do have Everest installed on my pc and I shall use it on my friends.
I must say you really seem to know your stuf... Bravo.

Again, I appreciate your help.

Best Regards


Paul said:
Costa said:
Hello reader.

Could you please tell me wheather its possible, and how, to check through XP
if RAM was removed form my PC what date it was removed?

I handed my pc to a computre shop and I noticed a week lated that 256 mb of
ram was missing.

I would like to know if XP would have logged or recored the change somewhere
with a date and time it was removed?

Thank in advance for your help.
Regards
Click to expand...

Executive summary:

Without additional software, generally speaking, you cannot track the
inventory of hardware components inside the computer.

Your BIOS has a couple features, which are intended to help with such issues.
But they are not "forensic" in nature, and are not intended to convict
someone in a court of law. The BIOS features are there, to be used in
conjunction with third party software.

The first, and simple BIOS feature, is "intrusion detection". Some computers
have a switch on the cover of the computer case. If the cover of the computer
case is removed, the switch detects that fact. When you next start the BIOS,
the BIOS will put a message on the screen, stating that the cover has been
removed. That would be evidence, that the computer has been tampered with.

That does not help in your case, because you already know someone was inside
the computer, doing maintenance work on it.

The second BIOS mechanism, is the DMI table. DMI and ESCD are storage areas
inside the BIOS flash chip. Those ares contain an inventory list, of hardware
known to be in the computer. Each time you start the computer, the BIOS compares
the contents of the DMI list, against the hardware detected during POST. If
the hardware has changed, the BIOS code will flash upgrade the DMI and ESCD
tables in the flash chip.

Say for example, that yesterday the computer had three sticks of RAM. The DMI
table would show three sticks. Now, today, you remove a stick. During POST,
the BIOS compares the DMI, against the fact that there are only two sticks.
The BIOS then updates the DMI table, to show only two sticks. The DMI table
is only updated, if the hardware inventory of the computer has changed.

The purpose of the DMI, is to support computer utility programs. For example,
in a large corporation, every night, a program on the users computer, copies
the DMI table, and sends it to a central server. Thus, the server has a very
large database, that shows the hardware contents of the machine, collected
on a daily basis. For the example computer above, yesterday's DMI would show
three sticks, today's DMI would show two sticks, and you could conclude that
a stick was removed last night. By using the utility program and a central
server, you could tell a stick went missing overnight.

Using a computer program that accesses the DMI table, and records it every
day, is how you detect a change in hardware inventory. But that is virtually
useless for proving where the stick of RAM went.

Unless you had a program that copied the DMI every day, you would not be
able to detect a change in the DMI. If you read out the DMI today, it
will reflect the hardware contents of the computer today. If the DMI recorded
a date, when the DMI was last updated, that would give you a hint, but I
don't think it works that way.

Even if the DMI table contained a date, as to the last time the BIOS updated
the table, that still won't help you. As the technicians are working on
your computer, they could make innocent changes to the machine, that caused
the DMI table to be updated. The DMI table could get updated, as hardware
is removed and put back, during their testing.

Purely to demonstrate what the DMI records, get the Everest program
from here.

"EVEREST Free Edition 2.20"
http://majorgeeks.com/download4181.html

Install the program, and start it. From the menu, select "Report" then
"Report Wizard". Click "Next" in the first window. Click "Hardware-related
pages". Click "Next". Click "Plain Text". Click "Finish".

After a minute, a page of text will appear as the "Report". Scroll the window
down. All the text between these two headers, is the contents of the DMI table
from the BIOS flash chip.

--------[ DMI ]---------
--------[ Overclock ]----------

This is part of the DMI table from my computer. My computer has four DIMM
slots. The DMI did manage to record that I have 2x512MB in slot A2 and B2.

[ Memory Modules / DIMM A1 ]

Memory Module Properties:
Socket Designation DIMM A1
Installed Size Not Installed
Enabled Size Not Installed

[ Memory Modules / DIMM A2 ]

Memory Module Properties:
Socket Designation DIMM A2
Type DIMM, SDRAM
Installed Size 512 MB
Enabled Size 512 MB

[ Memory Modules / DIMM B1 ]

Memory Module Properties:
Socket Designation DIMM B1
Installed Size Not Installed
Enabled Size Not Installed

[ Memory Modules / DIMM B2 ]

Memory Module Properties:
Socket Designation DIMM B2
Type DIMM, SDRAM
Installed Size 512 MB
Enabled Size 512 MB

My BIOS did not manage to record the serial numbers of the DIMMs, even
though, in fact, my Crucial memory does have a unique serial number in
each DIMM. That is one of the problems with DMI, is quite inaccurate
recording of hardware inventory. Many BIOS designs prepare bad DMI
tables, and much of the information in the DMI table is nonsense.
This is why hardly anyone relies on DMI, for their information.

If you use software which logs the DMI table every day, and stores
it away, *THEN* you can detect missing hardware. But that is still
not proof of where the missing hardware went.

Paul
Click to expand...
 
Everest is fine, but is is not definitive.
You need to open the case and physically see what is in the case.
A poorly seated RAM stick may not show at all and be non functional
while being partially installed.
While the case is open, if the proper RAM is there, reseat them.

As far as intrusion in BIOS, not all have it and most for consumer
computers are disabled.
In any case, it is probable technicians at both places opened the
case.

I almost always open the cases since many problems can be caused by
excessive dust, poor connections etc.
The fact a case was opened really only proves the case was opened,
nothing more.
 
Everest is fine, but is is not definitive.
You need to open the case and physically see what is in the case.
A poorly seated RAM stick may not show at all and be non functional
while being partially installed.
While the case is open, if the proper RAM is there, reseat them.

As far as intrusion in BIOS, not all have it and most for consumer
computers are disabled.
In any case, it is probable technicians at both places opened the
case.

I almost always open the cases since many problems can be caused by
excessive dust, poor connections etc.
The fact a case was opened really only proves the case was opened,
nothing more.

--
Jupiter Jones [MVP]http://www3.telus.net/dandemarhttp://www.dts-l.org











- Show quoted text -
Click to expand...

I hate to say this but depending on how long the PC was take back from
the repair place, it will be difficlut to get the RAM back (if they
really did remove it.) The repair place will probabily state that
you, or the owner, removed it and now trying to get "free" replacement
memory (personal experience.) After this, the only recourse is "Small
Clains Court." With the prices now of most "standard" PC RAM (non-ecc
& non-registered) you need to decide if the "cost" of your time is
"worth" it to "sue" in court for the missing RAM.

BTW: Take some time and open the case so as to check the RAM slots.
If the RAM has fallen out of a slot, no software will ever locate it.
 
Back
Top