Can Windows (or some other OS) Detect that some other OS was running between reboots?

Question

Let us say we have a Dual Boot Machine. Or we have a Linux LiveCD in the CD Drive.

We are running Windows & select reboot or Hibernate.
The Machine exits the OS and goes back to the Booting Process.

Here we can select some other OS. Or we can boot the Linux LiveCD in the CD Drive.

Then we shutdown the other OS.

When we reboot, Windows again takes control. Does this Windows instance "know" that there was some other OS running in between reboots ?
I am thinking about some CMOS Setting (or BIOS or UEFI or Similar) which records the Previous Boot Device.
Comparing this with Current Boot Device will tell the OS that there was some other OS running in between.

Is that Possible ?

Though I am asking this out of curiosity, there are Practical reasons about this :

Eg 1 : When we have a Corporate laptop, and the Corporate Policy is to not use Linux LiveCD (eg to extract Confidential Data out of the HardDisk) , it may be useful to check "Previous Boot Device" and record it against the employee.

Eg 2 : Windows may hypothetically want to go into "Paranoia Mode" about system file integrity and initiate a full system check if & when it detects that "Previous Boot Device" was not Windows.

Answer 1

To answer the question directly, as far as I know this is not possible, at least not in a way that's reliable enough to be useful for what you describe. The system firmware does not keep persistent logs of what was booted when. The only things that come close are the "power-on count" that disks track in their SMART data and the "boot count" that TPM chips likewise keep track of, but a simple counter cannot be used to prove that anything unwanted was actually done.

(Some Linux filesystems do record the "last mounted on" hostname within the filesystem itself, but that's completely voluntary on their part; it's done to avoid shared disks from being mounted twice at the same time.)

But in both of your examples, you've only considered booting a liveCD on the same computer – but you forgot the possibility of removing the disk from the machine and connecting it to another system like a data disk, which is much more likely to happen. Even if the previous non-Windows boot could be detected easily, it cannot in any way detect something that hasn't even happened on the same computer.

So in both of your examples, a different approach is usually taken – instead of using corporate policy (to scare away people who care about corporate policy the least) to react to events when it's too late, the system disk usually is encrypted so that its data couldn't be accessed in the first place, e.g. using BitLocker or various commercial tools. (That is, the difference between tamper-evident vs tamper-resistant.)

Instead of the OS detecting what happened previously, BitLocker does the opposite; features such as "measured boot" (via TPM + Secure Boot) provide information about what's happening during the current boot, e.g. Windows will be able to automatically unlock a BitLocker-protected disk if the current boot passes verification, but anything else won't be able to obtain the decryption key from the TPM hardware.

Answer 2

Not likely. I have never seen a a BIOS log a boot device. If you were to boot off a live CD or USB, the OS installed on the HDD/SSD will not execute and create any logs of its own. You would then be able to copy the files or even image the disk without anyone knowing.

That being said, if the company doesnt want you to do that, it likely limits the boot configuration to the HDD/SSD and password protects the computer's boot menu. However, if you have physical access to the computer, you could simply remove the drive and read it from another machine. The only protection against this would be if the drive was encrypted.