I've been searching for a way to find the date and time that a PC was last shut down correctly. I came across HKLM\System\CurrentControlSet\Control\Windows and a value within it - ShutdownTime. In mine (XP Pro) there is a binary value: 04FB79E2DF9FC701.

I have a couple of questions:

Firstly, there is also a binary value in the same area in ....\ControlSet001\... which is different (84445FE4F17DC701) whilst the value in the same area in ...\ControlSet002\... and ...\ControlSet003\... is the same as that in ...\CurrentControlSet\... Why the different value in ...\ControlSet001\...?

Secondly, I interpreted the first binary value using Decode (http://www.digital-detective.co.uk/freetools/decode.asp) and I was fortunate to use the first Decode Format (Windows: 64 bit Hex Value - Little Endian) which gave me the correct date and time when I last shut down my PC (Sat, 26 May 2007 21:50:32 UTC). Is there any other way that I can decode the binary value? Ideally, I'd like to be able to do it manually so I understand exactly what's happening. I've not been able to find information anywhere about the binary format of date/time in the registry. I've no idea about the other binary value which decodes to Fri, 13 April 2007 17:33:47 UTC. Any ideas?

Thanks for your time (and patience!).