Decoding the DateCreated and DateLastConnected SSID values From Vista/Win 7
This information was provided to me by Longshot & Mark McKinnon (Just passing this great information along).
Decoding the DateCreated and DateLastConnected registry values from the registry keys
SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}
In Vista and Windows 7
The DateCreated and DateLastConnected are binary values that can be broken up into 4 byte parts, with 1 part left over. Each 4 byte part corresponds to a value of a date. The order of the values are as follows:
Year
Month
Weekday
Day
Hour
Minutes
Seconds
Each of these 4 byte parts is in little endian. Using the following data that was unpacked from binary and converted to hex we get the following translation:
d9070200020018001700140025000001
d907 0200 0200 1800 1700 1400 2500 0001
Year = h4 = d907 = 07d9 = 2009
Month = h4 = 0200 = 0002 = Month {Jan = 1, Feb = 2, etc….}
Weekday = h4 = 0200 = 0020 = Weekday {Sunday = 0, Monday = 1, etc…}
date = h4 = 1800 = 0018 = 24
hour = h4 = 1700 = 0017 = 23
minutes = h4 = 1400 = 0014 = 20
Seconds = h4 = 2500 = 0025 = 37
The Month and Weekday fields have to be converted to their proper Month and weekday name.
which would yield the following:
Date First Connected: Tuesday, 24 February 2009 23:20:37
Here is the perl code to do the above, I only include the $data as a place holder that would need to get data fed to it:
use strict;
# This is the binary data that would be read from the registry file
my $data = “”;
my %month_type = (1 => “January”,
2 => “February”,
3 => “March”,
4 => “April”,
5 => “May”,
6 => “June”,
7 => “July”,
8 => “August”,
9 => “September”,
10 => “October”,
11 => “November”,
12 => “December”);
my %dayofweek_type = (0 => “Sunday”,
1 => “Monday”,
2 => “Tuesday”,
3 => “Wednesday”,
4 => “Thursday”,
5 => “Friday”,
6 => “Saturday”);
my ($year, $month, $weekday, $date, $hour, $minute, $second ) = unpack(“h4 h4 h4 h4 h4 h4 h4″, $data);
#This part converts the year
my $finalyear= hex(reverse $year);
#Now we convert the month
my $monthnumber=hex(reverse $month);
my $finalmonth = $month_type{$monthnumber};
#Now we convert the weekday
my $weekdaynumber=hex(reverse $weekday);
my $finalweekday = $dayofweek_type{$weekdaynumber};
# This converts the date
my $finaldate=hex(reverse $date);
#This converts the hour
my $finalhour=hex(reverse $hour);
#This converts the minute
my $finalminute=hex(reverse $minute);
my $howlongisfinalminute=length($finalminute);
if ($howlongisfinalminute == 1){
$finalminute=”0$finalminute”;
}
if ($finalminute eq “0″){
$finalminute=’00′;
}
#This converts the second
my $finalsecond=hex(reverse $second);
my $howlongisfinalsecond=length($finalsecond);
if ($howlongisfinalsecond == 1){
my $finalsecond=”0$finalsecond”;
}
if ($finalsecond eq “0″){
$finalsecond=’00′;
}
my $ssidtimestamp= “$finalweekday, $finaldate $finalmonth $finalyear $finalhour:$finalminute:$finalsecond”;
if ($n =~ /Created/){
$finaln=”Date First Connected:”;
} else {
$finaln=”Date Last Connected:”;
}
print “$finaln $ssidtimestamp\n”;
No comments yet. Be the first.
Leave a reply