“Formatting them is best left for those pesky applications” <– Yup this is
definitely very good advice which I second if there is no need to hang
around in driver land.
Thanks very much for pointing out about the Windows times, Rod. I don’t
know why it escaped me earlier but what I needed would have been very
easily fixed by using ExSystemTimeToLocalTime and RtlTimeToTimeFields.
If it matters to anyone, here is the code that got me what I needed. This
goes to the Post Create routine:
NTSTATUS statusQueryInfo;
FILE_BASIC_INFORMATION basicInfo;
statusQueryInfo = FltQueryInformationFile(FltObjects->Instance,
FltObjects->FileObject, &basicInfo, sizeof(FILE_BASIC_INFORMATION),
FileBasicInformation, NULL);
if (NT_SUCCESS(statusQueryInfo)) {
LARGE_INTEGER lastAccessTime;
lastAccessTime = basicInfo.LastAccessTime;
*ExSystemTimeToLocalTime*(&lastAccessTime, &localTime);
*RtlTimeToTimeFields*(&localTime, &timeFields);
KdPrint((“lastAccessTime: %04d-%02d-%02d %02d:%02d:%02d\r\n”,
timeFields.Year, timeFields.Month, timeFields.Day, timeFields.Hour,
timeFields.Minute, timeFields.Second, timeFields.Milliseconds));
}
*localTime and timeFields were declared way up the lines of code.*
As for the 64-bit number, somehow it still worked with my code.
Thanks again Rod! Appreciate your advice.
CA
On Mon, Sep 3, 2018 at 5:31 PM Rod Widdowson <
xxxxx@lists.osr.com> wrote:
> > I’ve written FltQueryInformationFile in POST CREATE, wanting to capture
> > LastAccessTime
> > from FileBasicInformation of a file. The epoch date and time captured by
> > FltQueryInformationFile
> > turns out to be very different from the last access date shown in File
> > Explorer (eg, the date can be
> > in the year 2057). What could be my most likely mistake?
>
> AFAICS from your code you may be confused about times in Windows. They
> have
> absolutely nothing to do with unix times and never had. The units are
> 100ns
> and I had always thought that the epoch was Smithsonian time. Reading [1]
> ,
> it turns out that the windows “epoch” is 01-jan-1601.
>
> I never actually bother about the number - it’s just a number: “Time Is
> Illusion Lunchtime Doubly So”. Formatting them is best left for those
> pesky
> applications.
>
> The most important thing is that it is a 64 bit number and as far as I can
> see from your code you are formatting your (undeclared) integer as a 32
> value,.
>
> /Rod
>
> [1] https://blogs.msdn.microsoft.com/oldnewthing/20090306-00/?p=18913/
>
>
> —
> NTFSD is sponsored by OSR
>
>
> MONTHLY seminars on crash dump analysis, WDF, Windows internals and
> software drivers!
> Details at http:
>
> To unsubscribe, visit the List Server section of OSR Online at <
> http://www.osronline.com/page.cfm?name=ListServer>
>
–
Regards,
CA</http:>