Dates in regedit

[kiknewbie]

Hi again ^_^ this is only curiosity, i know that in Windows XP, in "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\W indows" there is a file "ShutdownTime". Its type is REG_BINARY and it's supposed to register the last time the PC was shut down correctly. I know there are different methods to know this data, but what i'm interested for is the "code" the file has. It's kind of Hexadecimal (but its type is REG_BINARY?) so i don't know. It has, I think 8 hexadecimal numbers, which i think it should be the 4 cyphers of year, 2 of month, and 2 of day, but translated to decimal and got no sense. I found a Visual Basic script (.vbs) on the Internet (i don't know Visual) so i don't know what exactly does, but it makes a sort of 2^0, 2^8, 2^56 with those cyphers. Could anybody explain what is this?

Here is the code

Code:

strValueName = "HKLM\SYSTEM\CurrentControlSet\Control\Windows\" _
& "ShutdownTime"
Set oShell = CreateObject("WScript.Shell")
Ar = oShell.RegRead(strValueName)
Term = Ar(7)*(2^56) + Ar(6)*(2^48) + Ar(5)*(2^40) + Ar(4)*(2^32) _
+ Ar(3)*(2^24) + Ar(2)*(2^16) + Ar(1)*(2^8) + Ar(0)
Days = Term/(1E7*86400)
WScript.Echo "ShutdownTime = " & CDate(DateSerial(1601, 1, 1) + Days) _
& " UTC"

If anybody understands it, please explain it.

[Dino]

It appears that Ar contains an 8 byte numeric string on return from the RegRead call.

It looks like it then takes a substring of each digit (I don't know how VB indexex values, left-to-right or right-to-left), and multiplies that digit times the power of 2 shown, adds them all together, and then divides that by a magic number. Finally, it calls two formatting routines to take that number and make it human readable.

[adeyblue]

The value is a serialized FILETIME struct. Decoding it in C is just a matter of using the API

Code:

#include <stdio.h>
#include <windows.h>

int main()
{
    HKEY handle = NULL;
    RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Windows", 
                             0, KEY_QUERY_VALUE, &handle);
    if(handle)
    {
        FILETIME time = {0};
        DWORD size = sizeof(time);
        if(RegQueryValueEx(handle, "ShutdownTime", NULL, NULL, (BYTE*)&time, &size) == ERROR_SUCCESS)
        {
            SYSTEMTIME sysTime = {0};
            FileTimeToSystemTime(&time, &sysTime);
            printf("Last shutdown occurred on %u/%u/%u at %u:%u:%u\n",
                     sysTime.wDay, sysTime.wMonth, sysTime.wYear, 
                     sysTime.wHour, sysTime.wMinute, sysTime.wSecond);
        }
        else puts("Couldn't read ShutdownTime");
        RegCloseKey(handle);
    }
    else puts("Couldn't open key");
    return 0;
}

The registry value apparently doesn't exist in Vista so don't rely on it.