timestamp, conversion from hex?

They are 32bit Unix timestamps.
Dcode will allow you to convert a good variety of timestamps.

Download
http//www.digital-detective.co.uk/software/dcode.rar

You can also use Dump Event Log (dumpel.exe) available in the various Windows Server Resource Kits to interpret the hex.

SUMMARY
When an event log entry refers to hex data for more information, try using Dump Event Log (included in the Windows NT 3.5 Resource Kit). In many cases, Dump Event Log (DUMPEL.EXE) will interpret the hex data and convert it to a more readable form.

Download
Microsoft Dump Event Log

Thanks guys that was a great help!

Perhaps you can give me a little help again, i'm reading a PDF which states that this hex value "FA F5 05 00" converts to this decimal "390650".
However when i try this i get the decimal value "4210361600".

Any ideas? I'm sure i must be missing something basic…

5F5FA = 390650. Your conversion from FA F5 05 00 to 4210361600 is correct. Is there more to go on in the PDF? Perhaps taken out of context or part of a larger calculation?

It's little endian (as opposed to big endian) reverse the hex values so FA F5 05 00 becomes 00 05 F5 FA which converts to 390650 decimal.

Dcode Date is a great tool, but you should try out some Perl that automatically parses the .evt files in binary mode (doesn't use the Windows API), puts all of the event records into a spreadsheet (with the dates already translated) and then generates a report of statistics, such as the frequency of each event ID, the date range of all the records, etc.

H

H,
I have always been a Python or VB kind of guy. What does it take to program in Perl? Compile Perl programs? etc. Is there a tool you use?

> What does it take to program in Perl?

Not a lot…an editor, and you're good.

> Compile Perl programs?

People don't normally 'compile' Perl scripts, but you can use PAR…I use Perl2Exe.