Wrong LastAccessTime captured in FltQueryInformationFile function

NTFSD
1

Hi,

I’ve written FltQueryInformationFile in POST CREATE, wanting to capture LastAccessTime from FileBasicInformation of a file. The epoch date and time captured by FltQueryInformationFile turns out to be very different from the last access date shown in File Explorer (eg, the date can be in the year 2057). What could be my most likely mistake?

If it may make things clearer, here is the code that is written in POST CREATE:

NTSTATUS statusQueryInfo;
FILE_BASIC_INFORMATION basicInfo;
LARGE_INTEGER somethingTime;

statusQueryInfo = FltQueryInformationFile(FltObjects->Instance, FltObjects->FileObject, &basicInfo, sizeof(FILE_BASIC_INFORMATION), FileBasicInformation, NULL);
if (NT_SUCCESS(statusQueryInfo)) {
LARGE_INTEGER somethingTime;
lastAccessTime = basicInfo.LastAccessTime;
KdPrint((“lastAccessTime: %d\r\n”, lastAccessTime));
}

Any help would be greatly appreciated. Thanks.

2

> I’ve written FltQueryInformationFile in POST CREATE, wanting to capture

LastAccessTime
from FileBasicInformation of a file. The epoch date and time captured by
FltQueryInformationFile
turns out to be very different from the last access date shown in File
Explorer (eg, the date can be
in the year 2057). What could be my most likely mistake?

AFAICS from your code you may be confused about times in Windows. They have
absolutely nothing to do with unix times and never had. The units are 100ns
and I had always thought that the epoch was Smithsonian time. Reading [1] ,
it turns out that the windows “epoch” is 01-jan-1601.

I never actually bother about the number - it’s just a number: “Time Is
Illusion Lunchtime Doubly So”. Formatting them is best left for those pesky
applications.

The most important thing is that it is a 64 bit number and as far as I can
see from your code you are formatting your (undeclared) integer as a 32
value,.

/Rod

[1] https://blogs.msdn.microsoft.com/oldnewthing/20090306-00/?p=18913/

3

“Formatting them is best left for those pesky applications” <– Yup this is
definitely very good advice which I second if there is no need to hang
around in driver land.

Thanks very much for pointing out about the Windows times, Rod. I don’t
know why it escaped me earlier but what I needed would have been very
easily fixed by using ExSystemTimeToLocalTime and RtlTimeToTimeFields.

If it matters to anyone, here is the code that got me what I needed. This
goes to the Post Create routine:

NTSTATUS statusQueryInfo;
FILE_BASIC_INFORMATION basicInfo;

statusQueryInfo = FltQueryInformationFile(FltObjects->Instance,
FltObjects->FileObject, &basicInfo, sizeof(FILE_BASIC_INFORMATION),
FileBasicInformation, NULL);
if (NT_SUCCESS(statusQueryInfo)) {
LARGE_INTEGER lastAccessTime;
lastAccessTime = basicInfo.LastAccessTime;
*ExSystemTimeToLocalTime*(&lastAccessTime, &localTime);
*RtlTimeToTimeFields*(&localTime, &timeFields);
KdPrint((“lastAccessTime: %04d-%02d-%02d %02d:%02d:%02d\r\n”,
timeFields.Year, timeFields.Month, timeFields.Day, timeFields.Hour,
timeFields.Minute, timeFields.Second, timeFields.Milliseconds));
}

*localTime and timeFields were declared way up the lines of code.*

As for the 64-bit number, somehow it still worked with my code.

Thanks again Rod! Appreciate your advice.

CA

On Mon, Sep 3, 2018 at 5:31 PM Rod Widdowson <
xxxxx@lists.osr.com> wrote:

> > I’ve written FltQueryInformationFile in POST CREATE, wanting to capture
> > LastAccessTime
> > from FileBasicInformation of a file. The epoch date and time captured by
> > FltQueryInformationFile
> > turns out to be very different from the last access date shown in File
> > Explorer (eg, the date can be
> > in the year 2057). What could be my most likely mistake?
>
> AFAICS from your code you may be confused about times in Windows. They
> have
> absolutely nothing to do with unix times and never had. The units are
> 100ns
> and I had always thought that the epoch was Smithsonian time. Reading [1]
> ,
> it turns out that the windows “epoch” is 01-jan-1601.
>
> I never actually bother about the number - it’s just a number: “Time Is
> Illusion Lunchtime Doubly So”. Formatting them is best left for those
> pesky
> applications.
>
> The most important thing is that it is a 64 bit number and as far as I can
> see from your code you are formatting your (undeclared) integer as a 32
> value,.
>
> /Rod
>
> [1] https://blogs.msdn.microsoft.com/oldnewthing/20090306-00/?p=18913/
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer&gt;
>


Regards,
CA</http:>