After doing some experimenting, I have determined the following about secure time in Windows 10:
- Secure time is updated when the computer goes to sleep or is shut down. This makes sense and I believe it is used to ensure that Windows has a reasonable time change and protect against irrational time sources. So, you want to compare time on startup against when it was last shut down.
- The registry keys use UTC time. When I read the time in SecureTimeEstimated and apply the correct time zone, then it matches the time the computer was put to sleep or shut down.
- SecureTimeEstimated seems to be the time of shutdown or going to sleep.
- SecureTimeHigh is one hour later than SecureTimeEstimated.
- SecureTimeLow is one hour earlier than SecureTimeEstimated.
[datetime]$(Get-ItemProperty HKLM:\System\CurrentControlSet\Services\W32Time\SecureTimeLimits).SecureTimeEstimatedPlease note that the times returned are 1600 years before the current date. So, even through the year may appear to be 0416, add 1600 to get the current year of 2016.
[datetime]$(Get-ItemProperty HKLM:\System\CurrentControlSet\Services\W32Time\SecureTimeLimits).SecureTimeHigh
[datetime]$(Get-ItemProperty HKLM:\System\CurrentControlSet\Services\W32Time\SecureTimeLimits).SecureTimeLow
Previous info about secure time and the problems it can cause for imaging are here:
No comments:
Post a Comment