Notifications
Clear all

registry timestamps

8 Posts
3 Users
0 Likes
1,186 Views
(@nabiy)
Posts: 6
Active Member
Topic starter
 

hello all,

In my testing I am getting inaccurate timestamp data from the registry. Specifically, I am calling RegEnumKey on every subkey in HKEY\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} in order to get timestamp data (Last Write time) for any USB drive activity.

According to what i've read by Carvey and other's the last write time of this key as well as {53F5630D-B6BF-11D0-94F2-00A0C91EFB8B} should correspond to the last time the device was connected to the system. However, I can't get an accurate result from this. Is there any way to get an consistent accurate result? thanks in advance. - nabiy

 
Posted : 05/01/2008 3:13 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"Is there any way to get an consistent accurate result?"

Without knowing more about what you're doing, it's difficult to tell.

It's clear that you're doing this on a live system, using the MS API? What, exactly, is the inconsistency you're seeing?

 
Posted : 05/01/2008 5:40 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"Specifically, I am calling RegEnumKey on every subkey in HKEY\SYSTEM\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b} in order to get timestamp data (Last Write time) for any USB drive activity."

Taking a closer look at the API, RegEnumKey doesn't appear to provide time stamp information of any kind
http//msdn2.microsoft.com/en-us/library/ms724861.aspx

The structure for the API call looks like
LONG WINAPI RegEnumKey(
__in HKEY hKey,
__in DWORD dwIndex,
__out LPTSTR lpName,
__in DWORD cchName
);

However, if you look at RegQueryInfoKey
http//msdn2.microsoft.com/en-us/library/ms724902(VS.85).aspx

LONG WINAPI RegQueryInfoKey(
__in HKEY hKey,
__out LPTSTR lpClass,
__inout_opt LPDWORD lpcClass,
__reserved LPDWORD lpReserved,
__out_opt LPDWORD lpcSubKeys,
__out_opt LPDWORD lpcMaxSubKeyLen,
__out_opt LPDWORD lpcMaxClassLen,
__out_opt LPDWORD lpcValues,
__out_opt LPDWORD lpcMaxValueNameLen,
__out_opt LPDWORD lpcMaxValueLen,
__out_opt LPDWORD lpcbSecurityDescriptor,
__out_opt PFILETIME lpftLastWriteTime <——-
);

 
Posted : 05/01/2008 6:13 pm
(@nabiy)
Posts: 6
Active Member
Topic starter
 

thanks for replying so quickly. I misposted earlier, i'm using RegEnumKeyEx not the older api.

LONG WINAPI RegEnumKeyEx(
__in HKEY hKey,
__in DWORD dwIndex,
__out LPTSTR lpName,
__inout LPDWORD lpcName,
__reserved LPDWORD lpReserved,
__inout LPTSTR lpClass,
__inout_opt LPDWORD lpcClass,
__out_opt PFILETIME lpftLastWriteTime
);
Let me see if i can make my problem a little more clear. using Regmon, I've captured the following events when i plug in my thumb drive.

1 110854 PM CreateKey HKLM\System\CurrentControlSet\Control\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
2 110854 PM CreateKey HKLM\...\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&amp;Ven_Flash&amp;Prod_Drive_SM_USB20&amp;Rev_3000#AA04012710221&amp;0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
You can see that the it is calling CreateKey at 1108. Now when I navigate to that same key using regedit and export that key i see this

Key Name
HKLM\...l\DeviceClasses\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}\##?#USBSTOR#Disk&amp;Ven_Flash&amp;Prod_Drive_SM_USB20&amp;Rev_3000#AA04012710221&amp;0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b}
Class Name &lt;NO CLASS&gt;
Last Write Time 01/05/08 - 219 PM
Value 0
Name DeviceInstance
Type REG_SZ
Data USBSTOR\Disk&amp;Ven_Flash&amp;Prod_Drive_SM_USB20&amp;Rev_3000\AA04012710221&amp;0
the last write time for the registry is showing 219 PM. Which isn't the recent event. Using the API I'm getting this, which is what I should be getting. The probelm is it does not accurately reflect the time that I last used my thumb drive.

thanks again. - nabiy

 
Posted : 05/01/2008 7:03 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Let me see if I understand…

You're plugging in a thumb drive, with RegMon performing captures, and seeing the CreateKey call at 1108PM.

Then, you're going to RegEdit and exporting the key LastWrite time that shows a value of 219PM.

What is the time delta between these two steps? For example, take a look at this

http//msdn.microsoft.com/library/default.asp?url=/library/en-us/sysinfo/base/file_times.asp

Specifically

"Not all file systems can record creation and last access times, and not all file systems record them in the same manner. For example, the resolution of create time on FAT is 10 milliseconds, while write time has a resolution of 2 seconds and access time has a resolution of 1 day, so it is really the access date. The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access."

While the file system doesn't necessarily apply within the contents of a Registry hive file, one issue that has come up again and again is, what is the time delay (if any) for Registry key LastWrite times?

Have you tried this…plug the device in while monitoring it via RegMon. Once the device has been completely recognized, remove the device and reboot the machine. Then, retrieve the LastWrite time…is the time accurate?

 
Posted : 05/01/2008 7:21 pm
(@nabiy)
Posts: 6
Active Member
Topic starter
 

I tried what you've suggested. It looks like the time delay you described regarding Registry Key LastWrite times is what is taking place. the CreateKey is called when the thumbdrive is plugged in but if the key had already existed and been called during the same session then the LastWrite time isn't changed. It is only changed if it is the first time you've plugged the thumb-drive in during that session.

I also noticed a subkey called 'Control' being created whenever the thumbdrive is plugged in. This subkey consistently reveals the correct time but does not survive a reboot.

thanks again for all of your help. - nabiy

 
Posted : 06/01/2008 10:32 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I also noticed a subkey called 'Control' being created whenever the thumbdrive is plugged in. This subkey consistently reveals the correct time but does not survive a reboot.

Right…the LastWrite time for this key is when it is created. However, when the device is removed, isn't the subkey deleted? Wouldn't this then cause the LastWrite time on it's parent key to be updated?

 
Posted : 06/01/2008 5:42 pm
(@walkabout_fr)
Posts: 67
Trusted Member
 

Am I mistaken or don't changes on subkeys leave untouched the timestamp of the parent key ?

 
Posted : 06/01/2008 5:51 pm
Share: