Does the filesystem windows is installed on have an effect on the time zone settings of timestamps within windows registry hives?

0

This question does not refer to the filesystem timestamps of the registry files themself.

As far as I know timestamps within the Windows Registry are stored as UTC timestamps when Windows is installed on an NTFS filesystem. Does this change when Windows is installed on a FAT Filesystem (e.g. FAT32)? Are timestamps stored as local time instead or are they still in UTC?

Question could have also been simplified: Are timestamps within Windows Registry hives always UTC timestamps?

jalu

Posted 2019-07-16T07:35:00.140

Reputation: 49

This question is not about security, should be moved to superuser. – Overmind – 2019-07-16T07:49:24.687

Answers

0

FAT uses MAC timestamps which are 16-bit values (unlike NTFS MACB). 7 bits are related to the year, 4 bits for month and 5 bits for the day. The year range for FAT32 file systems are between 1980 and 2107 as a result of the 7 bit limit for the year range. While this covers the date and year, the time follows the same concept with a 16-bit value being used for hour, minutes and seconds. Since there is only a finite amount of time in a day, this is an area that is not nearly as trivial as we see with the year portion of the 32-bit value when combined together.

FAT64/exFAT is still restricted by the same rules other versions of FAT are held to. Exception to these rules is that FAT64/exFAT provides support to store the timestamps in UTC time as opposed to local time. However, it is different from NTFS where the UTC timestamp is stored as a 64-bit number in 100ns intervals and in epoch time. Additionally, the time resolution is set to Jan 1, 1601.

From a registry perspective, Last Access Time (A) is an overlooked area of difference between Windows XP and later versions. According to Microsoft this timestamp is determined to be on or off by the Registry and is located in SYSTEM/CurrentControlSet/Control/FileSystem/NtfsDisableLastAccessUpdate. For Windows XP this value was set to “0” by default, which means the A, value is updated as a folder or file are opened by the user. However, starting with Windows Vista/7, Microsoft switched this value to “1” which means that the A timestamps are no longer updated on the files and folders when opened.

Another relevant thing to note: if you copy a file from a FAT system to a NTFS system it will keep the same modified date but will change the create date and time to the current time. If the file is cut and pasted it will keep the same modified date and time and will keep the creation date the same as before.

-Edit- To complete this after the comment:

Windows Registry hives are always UTC timestamps at least since Windows XP. The base block contains at offset 12 the 8-bit length of 'Last written timestamp' which is considered the UTC filetime.

Overmind

Posted 2019-07-16T07:35:00.140

Reputation: 8 562

Thanks for your answer. I think that my question is not precise enough. I was talking about the timestamps within the registry itself (that is timestamps saved within registry hives). I am not talking about the filesystem timestamps of the registry files (SYSTEM, SOFTWARE etc.). – jalu – 2019-07-16T09:38:35.817

I have added also a clear conclusion. – Overmind – 2019-07-16T11:10:18.133

Asked: 2019-07-16T07:35:00.140

Viewed: 40 times

Active: 2019-07-16T11:08:32.777