Time and date of last shutdown
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Time and date of last shutdown

Hybrid View

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    183

    Time and date of last shutdown

    Hi

    I've been searching for a way to find the date and time that a PC was last shut down correctly. I came across HKLM\System\CurrentControlSet\Control\Windows and a value within it - ShutdownTime. In mine (XP Pro) there is a binary value: 04FB79E2DF9FC701.

    I have a couple of questions:

    Firstly, there is also a binary value in the same area in ....\ControlSet001\... which is different (84445FE4F17DC701) whilst the value in the same area in ...\ControlSet002\... and ...\ControlSet003\... is the same as that in ...\CurrentControlSet\... Why the different value in ...\ControlSet001\...?

    Secondly, I interpreted the first binary value using Decode (http://www.digital-detective.co.uk/freetools/decode.asp) and I was fortunate to use the first Decode Format (Windows: 64 bit Hex Value - Little Endian) which gave me the correct date and time when I last shut down my PC (Sat, 26 May 2007 21:50:32 UTC). Is there any other way that I can decode the binary value? Ideally, I'd like to be able to do it manually so I understand exactly what's happening. I've not been able to find information anywhere about the binary format of date/time in the registry. I've no idea about the other binary value which decodes to Fri, 13 April 2007 17:33:47 UTC. Any ideas?

    Thanks for your time (and patience!).

  2. #2
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    I guess you can ignore it.

    Control sets are just records of boot default values, so one is current one used, another is default, another is last known good, and another is last failed.

    I think that only 4 are supported?

    Friday 13th. well we all know about that?.............. it will be the last failed

    If you are not having problems I would expect most (apart from fail) to be the same.

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  3. #3
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Thanks for the prompt reply.

    I read about binary date values in the registry being a 64-bit hex value which increments every 0.000001 seconds (I think that's the correct number of zeros!) and the "start" time was around 1 January 1601. I did the calculation for my "real" last shutdown time and it was way, way off. It gave me a date towards the early part of 1715. I guess that the information I read was wrong. Does anyone have correct information about how binary date/time values in the registry are produced?

  4. #4
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    eh, quickest way is surely event viewer?
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

  5. #5
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Yes, I see what you mean. I looked at the System in Event Viewer and the final entry last night was when the Event log service was stopped at 22:14:45. I checked the binary time value (as in my first post) and it reported the shutdown time as 21:15:06. I can account for the one hour difference (I think) because of British Summer Time (correct?). I assume that the 21 second difference is the process of actually shutting down the system, writing to essential files etc. Is this correct or should I check elsewhere in the Event Viewer? I couldn't see anything else which seemed to relate to when I shut down last night.

  6. #6
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Yes, I think that the daylight savings time has something to do with it. You could test this by changing the time zone? I am not sure but maybe the "core" time is GMT, and it offsets from this?

    Also reset to GMT and turn daylight savings time adjustment off?

    The seconds difference would be the shutdown time IMHO, as I am not aware of more than one CMOS RTC, only "interpretations" of its value.
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  7. #7
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Good point - I'll change the time zone before I shut down today and check the value again tomorrow.

    BTW, I've been doing some further investigating regarding calculating the time and date from the binary value. It increments by 100 nanoseconds from 1600. I guess I'll have to try again, but do the maths by hand, rather than rely on online calculators. That'll take me quite a while!

  8. #8
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    A trick I learned on this site...

    for a whole different issue....this is just for a quick check see how log any NT based system has been running

    I use it when the user phones and says I cant print ...blah blah
    and you say...have you reboot your machine...

    they then get all snarky and say of course I reboot ( which BTW they didnt)
    meaning you have to trudge over to the machine ....

    Check the system cpu time in task manager...system Idle Process

    Can sometimes be quicker then looking through logs

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  9. #9
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    <LOL> Nice trick!

  10. #10
    Senior Member Aardpsymon's Avatar
    Join Date
    Feb 2007
    Location
    St Annes (aaaa!)
    Posts
    434
    Only sort of works on my pc :P processor doesn't idle much. Good on an office machine though.

    One I often use is look at the LAN status. LAN connected for 13 hours, pc was last turned on 13 hours ago.
    If the world doesn't stop annoying me I will name my kids ";DROP DATABASE;" and get revenge.

Similar Threads

  1. Windows Error Messages
    By cheyenne1212 in forum Miscellaneous Security Discussions
    Replies: 7
    Last Post: February 1st, 2012, 01:51 PM
  2. Central Secure Logging in a Win2k Environment
    By Tiger Shark in forum The Security Tutorials Forum
    Replies: 5
    Last Post: March 4th, 2004, 04:00 PM
  3. redhat 8 won't let me change my clock time
    By mrleachy in forum *nix Security Discussions
    Replies: 2
    Last Post: June 23rd, 2003, 09:16 AM
  4. Security Policy
    By instronics in forum The Security Tutorials Forum
    Replies: 7
    Last Post: February 5th, 2003, 09:04 AM
  5. The Worlds Longest Thread!
    By Noble Hamlet in forum AntiOnline's General Chit Chat
    Replies: 1100
    Last Post: March 17th, 2002, 08:38 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides