What is this? some sort of log.

[spmccain]

Recently a computer that controls a some machinery crashed. when we went to contact the company whose software we use to control the machinery. They recovered the hard drive and and are now claiming that someone tried to install something that damaged or curropted the OS(windows2000). they attached this file(chipset update snippet), which seems to be a log of events, and they are claiming that it is evidence of our tampering. they forwarded the evidece to IT (me) to substantiate the claim. can anyone tell me what this is. I've done some research and from first glance it seems to be a driver installation. Our users cannot install software on their machines as our security is pretty tight. the guy that the company claims to have tampered with the machine is denying the claim. His job depends on this file. here's a printout of the file:

[2005/04/23 21:20:14 3404.234]
#-198 Command line processed: C:\PROGRA~1\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
#I060 Set selected driver.
#-019 Searching for hardware ID(s): pci\ven_8086&dev_244e&subsys_00000000&rev_c2,pci\ven_8086&dev_244e&subsys_00000000,pci\ven_8086&dev_244e&rev_c2,pci\ven_8086&dev_244e,pci\ven_8086&dev_244e&cc_060400,pci\ven_8086&dev_244e&cc_0604
#-018 Searching for compatible ID(s): pci\ven_8086&cc_060400,pci\ven_8086&cc_0604,pci\ven_8086,pci\cc_060400,pci\cc_0604
#I022 Found "PCI\VEN_8086&DEV_244E" in c:\windows\temp\ich5core.inf; Device: "Intel(R) 82801 PCI Bridge - 244E"; Driver: "Intel(R) 82801 PCI Bridge - 244E"; Provider: "Intel"; Mfg: "Intel"; Section name: "INTEL_PCI".
#I023 Actual install section: [INTEL_PCI]. Rank: 0x00000003. Effective driver date: 08/22/2003.
#-166 Device install function: DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [INTEL_PCI] in "c:\windows\temp\ich5core.inf".
#I320 Class GUID of device remains: {4D36E97D-E325-11CE-BFC1-08002BE10318}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-124 Doing copy-only install of "PCI\VEN_8086&DEV_244E&SUBSYS_00000000&REV_C2\3&267A616A&0&F0".
#-166 Device install function: DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function: DIF_INSTALLINTERFACES.
#-011 Installing section [INTEL_PCI.Interfaces] from "c:\windows\temp\ich5core.inf".
#I054 Interfaces installed.
#-166 Device install function: DIF_INSTALLDEVICE.
#I123 Doing full install of "PCI\VEN_8086&DEV_244E&SUBSYS_00000000&REV_C2\3&267A616A&0&F0".
#I121 Device install of "PCI\VEN_8086&DEV_244E&SUBSYS_00000000&REV_C2\3&267A616A&0&F0" finished successfully.
[2005/04/23 21:20:24 3404.481 Driver Install]
#-406 Obtaining rollback information for device "PCI\VEN_8086&DEV_24D0&SUBSYS_00000000&REV_02\3&267A616A&0&F8":
#-019 Searching for hardware ID(s): pci\ven_8086&dev_24d0&subsys_00000000&rev_02,pci\ven_8086&dev_24d0&subsys_00000000,pci\ven_8086&dev_24d0&rev_02,pci\ven_8086&dev_24d0,pci\ven_8086&dev_24d0&cc_060100,pci\ven_8086&dev_24d0&cc_0601
#-018 Searching for compatible ID(s): pci\ven_8086&cc_060100,pci\ven_8086&cc_0601,pci\ven_8086,pci\cc_060100,pci\cc_0601
#-198 Command line processed: C:\PROGRA~1\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
#I063 Selected driver installs from section [INTEL_ISAPNP] in "c:\windows\inf\ich5core.inf".
#I320 Class GUID of device remains: {4D36E97D-E325-11CE-BFC1-08002BE10318}.
#I060 Set selected driver.
[2005/04/23 21:20:23 3404.475]
#-198 Command line processed: C:\PROGRA~1\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
#I060 Set selected driver.
#-019 Searching for hardware ID(s): pci\ven_8086&dev_24d0&subsys_00000000&rev_02,pci\ven_8086&dev_24d0&subsys_00000000,pci\ven_8086&dev_24d0&rev_02,pci\ven_8086&dev_24d0,pci\ven_8086&dev_24d0&cc_060100,pci\ven_8086&dev_24d0&cc_0601
#-018 Searching for compatible ID(s): pci\ven_8086&cc_060100,pci\ven_8086&cc_0601,pci\ven_8086,pci\cc_060100,pci\cc_0601
#I022 Found "PCI\VEN_8086&DEV_24D0" in c:\windows\temp\ich5core.inf; Device: "Intel(R) 82801EB LPC Interface Controller - 24D0"; Driver: "Intel(R) 82801EB LPC Interface Controller - 24D0"; Provider: "Intel"; Mfg: "Intel"; Section name: "INTEL_ISAPNP".
#I023 Actual install section: [INTEL_ISAPNP]. Rank: 0x00000003. Effective driver date: 08/22/2003.
#-166 Device install function: DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [INTEL_ISAPNP] in "c:\windows\temp\ich5core.inf".
#I320 Class GUID of device remains: {4D36E97D-E325-11CE-BFC1-08002BE10318}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-124 Doing copy-only install of "PCI\VEN_8086&DEV_24D0&SUBSYS_00000000&REV_02\3&267A616A&0&F8".
#-166 Device install function: DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function: DIF_INSTALLINTERFACES.
#-011 Installing section [INTEL_ISAPNP.Interfaces] from "c:\windows\temp\ich5core.inf".
#I054 Interfaces installed.
#-166 Device install function: DIF_INSTALLDEVICE.
#I123 Doing full install of "PCI\VEN_8086&DEV_24D0&SUBSYS_00000000&REV_02\3&267A616A&0&F8".
#W100 Query-removal during install of "PCI\VEN_8086&DEV_24D0&SUBSYS_00000000&REV_02\3&267A616A&0&F8" was vetoed by "ACPI\PNP0303\4&35f762c4&0" (veto type 6: PNP_VetoDevice).
#W104 Device "PCI\VEN_8086&DEV_24D0&SUBSYS_00000000&REV_02\3&267A616A&0&F8" required reboot: Query remove failed (install) CfgMgr32 returned: 0x17: CR_REMOVE_VETOED.
#I121 Device install of "PCI\VEN_8086&DEV_24D0&SUBSYS_00000000&REV_02\3&267A616A&0&F8" finished successfully.
[2005/04/23 21:20:28 3404.721 Driver Install]
#-406 Obtaining rollback information for device "PCI\VEN_8086&DEV_24D1&SUBSYS_524C8086&REV_02\3&267A616A&0&FA":
#-019 Searching for hardware ID(s): pci\ven_8086&dev_24d1&subsys_524c8086&rev_02,pci\ven_8086&dev_24d1&subsys_524c8086,pci\ven_8086&dev_24d1&cc_01018f,pci\ven_8086&dev_24d1&cc_0101
#-018 Searching for compatible ID(s): pci\ven_8086&dev_24d1&rev_02,pci\ven_8086&dev_24d1,pci\ven_8086&cc_01018f,pci\ven_8086&cc_0101,pci\ven_8086,pci\cc_01018f,pci\cc_0101
#-198 Command line processed: C:\PROGRA~1\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
#I063 Selected driver installs from section [intelide] in "c:\windows\inf\ich5ide.inf".
#I320 Class GUID of device remains: {4D36E96A-E325-11CE-BFC1-08002BE10318}.
#I060 Set selected driver.
[2005/04/23 21:20:27 3404.715]
#-198 Command line processed: C:\PROGRA~1\COMMON~1\INSTAL~1\Engine\6\INTEL3~1\IKernel.exe -Embedding
#I060 Set selected driver.
#-019 Searching for hardware ID(s): pci\ven_8086&dev_24d1&subsys_524c8086&rev_02,pci\ven_8086&dev_24d1&subsys_524c8086,pci\ven_8086&dev_24d1&cc_01018f,pci\ven_8086&dev_24d1&cc_0101
#-018 Searching for compatible ID(s): pci\ven_8086&dev_24d1&rev_02,pci\ven_8086&dev_24d1,pci\ven_8086&cc_01018f,pci\ven_8086&cc_0101,pci\ven_8086,pci\cc_01018f,pci\cc_0101
#I022 Found "PCI\VEN_8086&DEV_24D1" in c:\windows\temp\ich5ide.inf; Device: "Intel(R) 82801EB Ultra ATA Storage Controllers"; Driver: "Intel(R) 82801EB Ultra ATA Storage Controllers"; Provider: "Intel"; Mfg: "Intel"; Section name: "intelide".
#I023 Actual install section: [intelide]. Rank: 0x00002001. Effective driver date: 05/19/2003.
#-166 Device install function: DIF_SELECTBESTCOMPATDRV.
#I063 Selected driver installs from section [intelide] in "c:\windows\temp\ich5ide.inf".
#I320 Class GUID of device remains: {4D36E96A-E325-11CE-BFC1-08002BE10318}.
#I060 Set selected driver.
#I058 Selected best compatible driver.
#-124 Doing copy-only install of "PCI\VEN_8086&DEV_24D1&SUBSYS_524C8086&REV_02\3&267A616A&0&FA".
#-166 Device install function: DIF_REGISTER_COINSTALLERS.
#I056 Coinstallers registered.
#-166 Device install function: DIF_INSTALLINTERFACES.
#-011 Installing section [intelide.Interfaces] from "c:\windows\temp\ich5ide.inf".
#I054 Interfaces installed.
#-166 Device install function: DIF_INSTALLDEVICE.
#I123 Doing full install of "PCI\VEN_8086&DEV_24D1&SUBSYS_524C8086&REV_02\3&267A616A&0&FA".

chipset_update_snippet.txt

[Stuntgp2000]

I think someone tried to install Intel IDE & Chipset Utility for I810 chipsets. That software improves hard disk speed, optimize caching and active UDMA 66.

[Ghostrider]

I agree, it was an install of the intel chipset drivers initiated at 2120hrs on 23 april 2005, might even be an automatic update from windows...???

BTW... this driver will only install if OS supports it and if native support is not already available. in other words it should not break an OS because if it's the wrong driver or not needed it wont install, it would be interesting to see the final part of the text showing whether the driver aborted or completed successfully.

[spmccain]

So this isn't the result of someone trying to install a game. Thats good news, I wonder if windows update was really involved in this. I can't think of anything else that would do this. The company dials in remotely to connect to the computer's modem. I don't think that was it. Maybe this is just a dump from the work they did in recovering the hard drive. I don't think I mentioned that they had to recover the hard drive( the company). Does that sound right?

[spmccain]

This could possibly be activity that the company performed during recovery of the hard drive, not what the hard drive was doing before it crashed. It is not conclusive to what happened to the computer that caused the crash.

[k0pect8]

Look at the date- 4/23/05 (9:20pm) - was it in their possession or yours at that time?

It's definitely the Intel ICH5 drivers being installed.

[FthrJACK]

its the Intel ICH5 drivers, as other people said. not only that but, the date...

AND, its for something thats obviously on the PCI bus, something already installed in the machine, so... id say odds on he hasnt tried to install it, and that it is an attempt by them later, or an auto install by the OS for a "new" device or for an update.

The other thing is, that the document isnt evidence at all.

If that person loses his job over this, i would recommend he sues. In taking away the machine and messing with it in the way they have, they have altered data and logs on the machine. And in doing so, made any "evidence" that might be on it, not worth the hard disk space its written on, a court would throw that "evidence" out because it is 'contaminated'