- May
- 13,450
- 193
Two more things about REGDIR's timestamps ...
1. Any time in 00:00 - 09:59 appears with only one '0' in the hour. That's not my chosen format and I don't see it anywhere else. For example,
2. Assuming I was correct (in another thread) in pointing out that all subkeys show the timestamp of their parent key, then timestamps during standard time differ by one hour from the ones I get with my KEYTIMES or @KEYTIME plugins. For example,
I use the following on the FILETIME from RegQueryKeyInfo.
1. Any time in 00:00 - 09:59 appears with only one '0' in the hour. That's not my chosen format and I don't see it anywhere else. For example,
Code:
v:\> regdir /t HKCU | grep " 8:55" | head /n 1
2012-06-07 8:55 Trust Database
2. Assuming I was correct (in another thread) in pointing out that all subkeys show the timestamp of their parent key, then timestamps during standard time differ by one hour from the ones I get with my KEYTIMES or @KEYTIME plugins. For example,
Code:
v:\> echo %@keytime[HKCU\AppEvents]
2013-01-25,12:51:33
v:\> regdir /s1 /t HKCU\AppEvents | grep EventLabels
2013-01-25 13:51 EventLabels
I use the following on the FILETIME from RegQueryKeyInfo.
Code:
BOOL FileTimeToLocalSystemTime(LPFILETIME pft, LPSYSTEMTIME pstLocal)
{
SYSTEMTIME st;
if ( FileTimeToSystemTime(pft, &st) && SystemTimeToTzSpecificLocalTime(NULL, &st, pstLocal) )
return TRUE;
return FALSE;
}
WCHAR *DateString(SYSTEMTIME *pst)
{
static WCHAR buf[32];
GetDateFormat(LOCALE_USER_DEFAULT, DATE_SHORTDATE, pst, NULL, buf, 32);
return buf;
}
WCHAR *TimeString(SYSTEMTIME *pst)
{
static WCHAR buf[32];
GetTimeFormat(LOCALE_USER_DEFAULT, 0, pst, NULL, buf, 16);
return buf;
}