Windows 10 Install ...
 
Notifications
Clear all

Windows 10 Install time registry key  

  RSS
Forensicator_Tom
(@forensicator_tom)
New Member

I'm looking in HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion and there are two registry keys

InstallDate
InstallTime

The two have different dates, one in April '16 and one in July '16. Resources online show that InstallDate is usually how you derive the installation time for a Windows OS, so what does the InstallTime reflect differently?

Quote
Posted : 19/10/2016 4:35 pm
randomaccess
(@randomaccess)
Active Member

(as per my answer on reddit)

Can confirm the existence of the key but not sure what yours is showing.

My installDate is in august, which I think is when I installed the anniversary update
My installTime translates to 1970 epoch and I haven't done anything more than update the winnt_cv regripper plugin to translate the date the same way as installDate

ReplyQuote
Posted : 19/10/2016 5:27 pm
Forensicator_Tom
(@forensicator_tom)
New Member

It turns out that InstallDate is a unix timestamp, while InstallTime is a Windows Date/time timestamp. If you use the correct decoding they come out to the same date.

Strange of Microsoft to use the two date formats but that makes a lot more sense now.

ReplyQuote
Posted : 19/10/2016 5:39 pm
randomaccess
(@randomaccess)
Active Member

It turns out that InstallDate is a unix timestamp, while InstallTime is a Windows Date/time timestamp. If you use the correct decoding they come out to the same date.

Strange of Microsoft to use the two date formats but that makes a lot more sense now.

Yep

if you add
" if ($name eq "InstallTime"){
my @t = unpack("VV",$data);
$data = gmtime(getTime($t[0],$t[1]))." (UTC)";
}
"

to winnt_cv regripper plugin it comes out as the same date for me.

With the correct parsing are you still getting different dates?

ReplyQuote
Posted : 19/10/2016 6:23 pm
Forensicator_Tom
(@forensicator_tom)
New Member

It turns out that InstallDate is a unix timestamp, while InstallTime is a Windows Date/time timestamp. If you use the correct decoding they come out to the same date.

Strange of Microsoft to use the two date formats but that makes a lot more sense now.

Yep

if you add
" if ($name eq "InstallTime"){
my @t = unpack("VV",$data);
$data = gmtime(getTime($t[0],$t[1]))." (UTC)";
}
"

to winnt_cv regripper plugin it comes out as the same date for me.

With the correct parsing are you still getting different dates?

The dates align with the correct parsing. ) Thanks a lot for your help.

ReplyQuote
Posted : 19/10/2016 6:37 pm
altylets1974
(@altylets1974)
New Member

I hate windows 10…

ReplyQuote
Posted : 29/10/2016 5:56 pm
passcodeunlock
(@passcodeunlock)
Senior Member

Maybe this was the easiest way to put together "parts" of the OS using different date formats from different (program) sources ?!

ReplyQuote
Posted : 30/10/2016 1:01 am
randomaccess
(@randomaccess)
Active Member

I've updated the winnt_cv regripper plugin and pushed it to my github.
I've created a pull request with the developer so hopefully it'll be absorbed into the official repo.

In the meantime you can get it here

ReplyQuote
Posted : 03/12/2016 7:54 am
keydet89
(@keydet89)
Community Legend

I'm looking in HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion and there are two registry keys

InstallDate
InstallTime

The two have different dates, one in April '16 and one in July '16. Resources online show that InstallDate is usually how you derive the installation time for a Windows OS, so what does the InstallTime reflect differently?

On my Windows 10 system, I don't see two keys, I see two values. Big difference. If they were keys, the time stamps would be the key LastWrite times.

ReplyQuote
Posted : 03/12/2016 4:24 pm
randomaccess
(@randomaccess)
Active Member

Yep Values, Key and Subkeys remain as per previous versions, just the addition of the new value; both should match just are in different date formats

ReplyQuote
Posted : 04/12/2016 4:06 am
Tabeer
(@tabeer)
New Member

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate"

It's given as the number of seconds since January 1, 1970.

To convert that number into a readable date/time just paste the decimal value in the field "UNIX TimeStamp" of Unix Time Conversion online tool.

ReplyQuote
Posted : 06/12/2016 5:23 pm
jaclaz
(@jaclaz)
Community Legend

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate"

It's given as the number of seconds since January 1, 1970.

To convert that number into a readable date/time just paste the decimal value in the field "UNIX TimeStamp" of Unix Time Conversion online tool.

Original

http//stackoverflow.com/questions/170617/how-do-i-find-the-install-time-and-date-of-windows

jaclaz

ReplyQuote
Posted : 06/12/2016 7:28 pm
randomaccess
(@randomaccess)
Active Member

"HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\InstallDate"

It's given as the number of seconds since January 1, 1970.

To convert that number into a readable date/time just paste the decimal value in the field "UNIX TimeStamp" of Unix Time Conversion online tool.

Yep, the original post was more regarding the InstallTime values, which appears to be new in Win10.
InstallDate has been around a while.

If you want to automate the parsing of the two values use my updated winnt_cv regripper plugin
winnt_cv

ReplyQuote
Posted : 09/12/2016 4:35 am
Share: