My friend Chris over at Cy4or told me about a case recently where a suspect had stated that he repeatedly had problems with his OS (XP) that he resolved by formatting and re-installing.
Chris was tasked with looking for evidence of this and came up with searching for the Install Date registry key in live (Software hive and restore points) registry files and within unallocated clusters. This proved to be a neat idea because a number of different Install Dates were located.
In encase the GREP \x04\x00\x00\x00\x01\x00\x00\x00\x49\x6E\x73\x74\x61\x6C\x6C\x44\x61\x74\x65 finds the Install Date string and just prior to this can be seen a Unix 32 bit date which when decoded is the Install Date. On all our test boxes this was consistent- your mileage may vary.
We also looked at whether the same method would locate multiple shutdown times but found that the shutdown time at HKLM\System\Current Control set\Control\Windows\ShutdownTime stored as a 64 bit Windows File Time is often not co-located with the ShutdownTime string.
Whilst looking at this we did find that the registry key HKLM\System\Current Control set\Control\Watchdog\Display\ShutdownCount was exactly what it says on the tin - it maintains a count of the number of times the OS has been shutdown.