2

I have a doubt on the time zone shown in the windows event logs. I had read that if I export the windows event logs from another machine and open it in my machine which has a different time zone, the timings of the events will be converted to my time zone. The scenario is I am debugging an issue which occurred in a VM set in JST timezone. I could see an event in the windows logs logged like this when I opened the file in my local machine which is in IST time zone--

The process C:\Program Files\Altek\Agent\bin\altekbin.exe (VERY1) has initiated the shutdown of computer VERY1 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x3000c

Logged: 23-01-2020 18:20:13

Since the timing is shown as 18:20:13 in my machine which is in IST, I am thinking that the actual time in JST when it happened was in 21.50 JST. Is my understanding correct? This timestamp conversion has been bit confusing to me so would appreciate if anyone can clear my doubts?

user496934
  • 187
  • 5

1 Answers1

4

Windows stores the time stamps for events from the event log in UTC time - regardless of the currently configured time zone of the computer. When viewing the event however, the timestamp is converted to the local time - depending on the current time zone settings.

As such, the timestamp of an event will always be shown in the current local time - regardless of what the time zone was when it was originally logged.

Example: An event gets written at 21:30:00 US Eastern time and the entire log is subsequently exported to an EVTX file and sent to somebody in California, which is 3 hours behind. If a user in California (which is on Pacific Time PST) views that same exact event, it will show that it was logged at 18:30:00 in local time. That's because it WAS 18:30:00 in California when the event was logged.

I hope that explains.

Lucky Luke
  • 1,555
  • 1
  • 9
  • 12
  • Thank you very much for the answer. It is very helpful. So in my case, I export event logs from a remote machine which is in JST. I open the event viewer in a VM which is in IST, and I see event logged at 18:20:13, so is it fine to assume that the event happened in 21.50 JST? – user496934 Mar 12 '20 at 08:18
  • My confusion stems from the fact that when I click on the details view, I see this -- Does it mean that the event was actually logged at 12:50:13 JST? Also when I open the logs in excel format, (which I assume doesnt do any conversion), the datetime column shows 12:50:13. So what was the actual time in JST the issue happened-12:50:13 or 21:50? – user496934 Mar 12 '20 at 08:25
  • 2
    The answer to your first question is **Yes**. Question 2: The value of **TimeCreated** is always in UTC, so the time in Japan at that point would have been 21:50:13. – Lucky Luke Mar 12 '20 at 18:07
  • 2
    Thanks for clarifying, it was a source of confusion for me but its clear now, really appreciate your help – user496934 Mar 13 '20 at 15:40