Windows 10 Install ...
 
Notifications
Clear all

Windows 10 Install time registry key

13 Posts
7 Users
0 Likes
3,454 Views
(@forensicator_tom)
Posts: 3
New Member
Topic starter
 

I'm looking in HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion and there are two registry keys

InstallDate
InstallTime

The two have different dates, one in April '16 and one in July '16. Resources online show that InstallDate is usually how you derive the installation time for a Windows OS, so what does the InstallTime reflect differently?

 
Posted : 19/10/2016 4:35 pm
(@randomaccess)
Posts: 385
Reputable Member
 

(as per my answer on reddit)

Can confirm the existence of the key but not sure what yours is showing.

My installDate is in august, which I think is when I installed the anniversary update
My installTime translates to 1970 epoch and I haven't done anything more than update the winnt_cv regripper plugin to translate the date the same way as installDate

 
Posted : 19/10/2016 5:27 pm
(@forensicator_tom)
Posts: 3
New Member
Topic starter
 

It turns out that InstallDate is a unix timestamp, while InstallTime is a Windows Date/time timestamp. If you use the correct decoding they come out to the same date.

Strange of Microsoft to use the two date formats but that makes a lot more sense now.

 
Posted : 19/10/2016 5:39 pm
(@randomaccess)
Posts: 385
Reputable Member
 

It turns out that InstallDate is a unix timestamp, while InstallTime is a Windows Date/time timestamp. If you use the correct decoding they come out to the same date.

Strange of Microsoft to use the two date formats but that makes a lot more sense now.

Yep

if you add
" if ($name eq "InstallTime"){
my @t = unpack("VV",$data);
$data = gmtime(getTime($t[0],$t[1]))." (UTC)";
}
"

to winnt_cv regripper plugin it comes out as the same date for me.

With the correct parsing are you still getting different dates?

 
Posted : 19/10/2016 6:23 pm
(@forensicator_tom)
Posts: 3
New Member
Topic starter
 

It turns out that InstallDate is a unix timestamp, while InstallTime is a Windows Date/time timestamp. If you use the correct decoding they come out to the same date.

Strange of Microsoft to use the two date formats but that makes a lot more sense now.

Yep

if you add
" if ($name eq "InstallTime"){
my @t = unpack("VV",$data);
$data = gmtime(getTime($t[0],$t[1]))." (UTC)";
}
"

to winnt_cv regripper plugin it comes out as the same date for me.

With the correct parsing are you still getting different dates?

The dates align with the correct parsing. ) Thanks a lot for your help.

 
Posted : 19/10/2016 6:37 pm
altylets1974
(@altylets1974)
Posts: 3
New Member
 

I hate windows 10…

 
Posted : 29/10/2016 5:56 pm
passcodeunlock
(@passcodeunlock)
Posts: 792
Prominent Member
 

Maybe this was the easiest way to put together "parts" of the OS using different date formats from different (program) sources ?!

 
Posted : 30/10/2016 1:01 am
(@randomaccess)
Posts: 385
Reputable Member
 

I've updated the winnt_cv regripper plugin and pushed it to my github.
I've created a pull request with the developer so hopefully it'll be absorbed into the official repo.

In the meantime you can get it here

 
Posted : 03/12/2016 7:54 am
keydet89
(@keydet89)
Posts: 3578
Famed Member
 

I'm looking in HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion and there are two registry keys

InstallDate
InstallTime

The two have different dates, one in April '16 and one in July '16. Resources online show that InstallDate is usually how you derive the installation time for a Windows OS, so what does the InstallTime reflect differently?

On my Windows 10 system, I don't see two keys, I see two values. Big difference. If they were keys, the time stamps would be the key LastWrite times.

 
Posted : 03/12/2016 4:24 pm
(@randomaccess)
Posts: 385
Reputable Member
 

Yep Values, Key and Subkeys remain as per previous versions, just the addition of the new value; both should match just are in different date formats

 
Posted : 04/12/2016 4:06 am
Page 1 / 2
Share:
Share to...