Re: [Libguestfs] [PATCH 8/13] hivex: Clarify some more fields.
On Thu, Jan 28, 2010 at 03:26:19PM +0100, Jim Meyering wrote:
Richard W.M. Jones wrote:
> Subject: [PATCH 08/13] hivex: Clarify some more fields.
>
> Taken from sentinelchicken.com documentation.
> ---
> hivex/hivex.c | 5 +++--
> 1 files changed, 3 insertions(+), 2 deletions(-)
>
> diff --git a/hivex/hivex.c b/hivex/hivex.c
> index dfac896..1f5c08b 100644
> --- a/hivex/hivex.c
> +++ b/hivex/hivex.c
> @@ -203,7 +203,8 @@ struct ntreg_nk_record {
> int32_t seg_len; /* length (always -ve because used) */
> char id[2]; /* "nk" */
> uint16_t flags;
> - char timestamp[12];
> + char timestamp[8];
> + char unknown0[4];
I wonder if it's nanoseconds...
No it's much stranger than that. Tenths of microseconds since Jan 1 1601.
http://support.microsoft.com/kb/167296
The following OCaml code successfully converts it to a time_t (from my
reverse-engineering analysis prog):
let nt_to_time_t t =
let t = Int64.sub t 116444736000000000L in
let t = Int64.div t 10000000L in
Int64.to_float t
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-p2v converts physical machines to virtual machines. Boot with a
live CD or over the network (PXE) and turn machines into Xen guests.
http://et.redhat.com/~rjones/virt-p2v