We are using the win32_NTLogEvent class to retrieve events and store them to
a database. We have noticed that in windows 2008 32bit and vista 32bit the
win32_NTLogEvent.TimeGenerated is returned in GMT with an offset value of
000. In earlier versions of windows, win32_NTLogEvent.TimeGenerated is
returned in localtime with an offset relative to GMT.
For Example these two are exactly the same date:
WinXP TimeGenerated 10:00 GMT 120 (20091016100000.000000+120)
Vista/2008 TimeGenerated 08:00 GMT 000 (20091016080000.000000+000)
This, of course, creates inconsistency in data depending on the source OS.
We would like to know if this change is intentionate and if means of easily
recovering the local time instead have been provided.
Thank you very much,
Tango.
MS has been seriously messing up with the results returned by WMI on
Vista/2008 for some time now, and any fix you make now will probably be
broken when they change their minds later on. For example, initially
Vista returned all event log entries in reverse order compared to all
their other OSes. Then abruptly, and very quietly, they changed the
order back with a patch or service pack (can't remember which). Not to
mention the fact that DST handling in WMI has been all over the place
this last year.
It is not amusing and it's wasting a lot of development time!