Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

win32_NTLogEventTimeGenerated is in GMT and not local in Vista/w2

1 view
Skip to first unread message

tango

unread,
Nov 11, 2009, 7:15:01 AM11/11/09
to
(I posted this question to the microsoft.public.win32.programmer.wmi but
it's not available anymore. I don't know if this is the correct forum to
post this question...)

We are using the win32_NTLogEvent class to retrieve events and store them to
a database. We have noticed that in windows 2008 32bit and vista 32bit the
win32_NTLogEvent.TimeGenerated is returned in GMT with an offset value of
000. In earlier versions of windows, win32_NTLogEvent.TimeGenerated is
returned in localtime with an offset relative to GMT.
For Example these two are exactly the same date:
WinXP TimeGenerated 10:00 GMT 120 (20091016100000.000000+120)
Vista/2008 TimeGenerated 08:00 GMT 000 (20091016080000.000000+000)

This, of course, creates inconsistency in data depending on the source OS.
We would like to know if this change is intentionate and if means of easily
recovering the local time instead have been provided.

Thank you very much,
Tango.

Remy Lebeau

unread,
Nov 11, 2009, 1:16:06 PM11/11/09
to

"tango" <ta...@newsgroup.nospam> wrote in message news:0FD3B7DC-887D-46E5...@microsoft.com...

> This, of course, creates inconsistency in data depending on the source
> OS. We would like to know if this change is intentionate and if means
> of easily recovering the local time instead have been provided.

Why not just have your code convert GMT values to local time whenever the offset is 0? Look at SystemTimeToFileTime(), FileTimeToLocalFileTime(), and other related functions.

--
Remy Lebeau (TeamB)

tango

unread,
Nov 23, 2009, 5:37:02 AM11/23/09
to
> Why not just have your code convert GMT values to local time whenever the
offset is 0? Look at SystemTimeToFileTime(), FileTimeToLocalFileTime(), and
other related functions.

The problem is that we are retrieving remote data using WMI, we need to get
the local time for the eventlog message in the REMOTE computer, and I think
using the API we will bet the date in the local computer where we are
executing the WMI query.

For Example in a remote WinXP when we retrieve the EventLog message with
TimeGenerated 10:00 GMT 120 (20091016100000.000000+120) we know there was
10:00 in the remote computer clock but when retrieving the same EventLog
message from a remote Vista/2008, the TimeGenerated will be 08:00 GMT 000
(20091016080000.000000+000) so we can't get the "real remote time" where the
message was generated.

tango

unread,
Jan 15, 2010, 1:32:01 AM1/15/10
to
I haven't received any MSDN reply. I thought it was because a problem in the
nospam alias not being assigned but I'm sure now it's assigned.
0 new messages