The value is a serialized FILETIME struct. Decoding it in C is just a matter of using the API
Code:
#include <stdio.h>
#include <windows.h>
int main()
{
HKEY handle = NULL;
RegOpenKeyEx(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\Windows",
0, KEY_QUERY_VALUE, &handle);
if(handle)
{
FILETIME time = {0};
DWORD size = sizeof(time);
if(RegQueryValueEx(handle, "ShutdownTime", NULL, NULL, (BYTE*)&time, &size) == ERROR_SUCCESS)
{
SYSTEMTIME sysTime = {0};
FileTimeToSystemTime(&time, &sysTime);
printf("Last shutdown occurred on %u/%u/%u at %u:%u:%u\n",
sysTime.wDay, sysTime.wMonth, sysTime.wYear,
sysTime.wHour, sysTime.wMinute, sysTime.wSecond);
}
else puts("Couldn't read ShutdownTime");
RegCloseKey(handle);
}
else puts("Couldn't open key");
return 0;
}
The registry value apparently doesn't exist in Vista so don't rely on it.