pack, Win32 registry & binary data

[woof]

I need an example on how to collect and process REG_BINARY data
in a Win32 registry. The registry value in question reads:

TimeOfLastScan REG_BINARY 21 0a 1e 0d 00 1e 00 00

It appears to be 8 bytes... an unsigned long ("L")?

Reading strings seems easy enough as in
my $parent = $rkeyNorton->{"CurrentVersion//Parent"};

I did try and read this binary value with (cvKey set to CurrentVersion);

(my $gvtimeOfLastScan, my $type) = $cvKey->GetValue("TimeOfLastScan");

But have been unable to feed localtime() anything that gets
me my date string. I know I'm not packing this correctly.

Thanks.

 

[Jay Tilton]

(e-mail address removed) (woof) wrote:

: I need an example on how to collect and process REG_BINARY data
: in a Win32 registry. The registry value in question reads:
:
: TimeOfLastScan REG_BINARY 21 0a 1e 0d 00 1e 00 00

[snip]

: But have been unable to feed localtime() anything that gets
: me my date string. I know I'm not packing this correctly.

There's no guarantee that a sensible date can be backed out from the binary
value. The function that creates the binary value is not yet known to be
symmetric. If we assume that the function is symmetric, we should state
that assumption.

The problem is one of determining what function creates the binary value
from a date. We have one binary value, but we have no idea what date it
represents. If we knew that date, we might have a starting point on
figuring out the function. Even better would be a bunch of binary values
and the date each represents.

It's a complete WAG, but each octet of the binary value might stand for a
different numeric portion of the date/time.

year 0x21 => 33 (Assuming a 1970 epoch, 1970 + 33 = 2003)
month 0x0a => 10 (October? November?)
day 0x1e => 30 (30th? 31st?)
hour 0x0d => 13 (1 pm)
minutes 0x00 => 0 00)
seconds 0x1e => 30 30)
? 0x00 => 0
? 0x00 => 0

 

[Ben Liddicott]

Hi Woof,

Win32 has a number of data/time formats, more than one of which is 64 bits long.

Ole's DATE type is a 64 bit floating-point number, containing the number of days since the DATE epoch, which is Midnight on the morning of Dec 30, 1899. The fractional part is therefore the time of day.

Win32's FILETIME is a 64 bit integer, specifying the number or 100 nanosecond intervals since the January 1, 1601.

MS CRT's _time_64_t is a 64 bit integer, but the value given here puts it in the future, as it is in seconds since the C epoch.

QueryPerformanceCounter returns a 64-bit integer... but the frequency and base change from machine to machine, and boot to boot.

My guess is that you have a something else altogether though, as that number doesn't seem to unpack to a recent time using any of the above.



Neither of these will go into Perl's localtime function, but any can be made into a date string without too much trouble. If you have a FILETIME you can use Win32API::Time to unpack it.

Cheers,
Ben Liddicott