[Libguestfs] [PATCH 8/13] hivex: Clarify some more fields.
Richard W.M. Jones
rjones at redhat.com
Thu Jan 28 14:30:50 UTC 2010
On Thu, Jan 28, 2010 at 03:26:19PM +0100, Jim Meyering wrote:
> Richard W.M. Jones wrote:
> > Subject: [PATCH 08/13] hivex: Clarify some more fields.
> >
> > Taken from sentinelchicken.com documentation.
> > ---
> > hivex/hivex.c | 5 +++--
> > 1 files changed, 3 insertions(+), 2 deletions(-)
> >
> > diff --git a/hivex/hivex.c b/hivex/hivex.c
> > index dfac896..1f5c08b 100644
> > --- a/hivex/hivex.c
> > +++ b/hivex/hivex.c
> > @@ -203,7 +203,8 @@ struct ntreg_nk_record {
> > int32_t seg_len; /* length (always -ve because used) */
> > char id[2]; /* "nk" */
> > uint16_t flags;
> > - char timestamp[12];
> > + char timestamp[8];
> > + char unknown0[4];
>
> I wonder if it's nanoseconds...
No it's much stranger than that. Tenths of microseconds since Jan 1 1601.
http://support.microsoft.com/kb/167296
The following OCaml code successfully converts it to a time_t (from my
reverse-engineering analysis prog):
let nt_to_time_t t =
let t = Int64.sub t 116444736000000000L in
let t = Int64.div t 10000000L in
Int64.to_float t
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v
More information about the Libguestfs
mailing list