Tuesday, August 25, 2009

Decoding the DateCreated and DateLastConnected SSID values From Vista/Win 7

This information was provided to me by Longshot (Just passing this great information along).

Decoding the DateCreated and DateLastConnected registry values from the registry keys

SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Profiles\{GUID}

In Vista and Windows 7

The DateCreated and DateLastConnected are binary values that can be broken up into 4 byte parts, with 1 part left over. Each 4 byte part corresponds to a value of a date. The order of the values are as follows:


Each of these 4 byte parts is in little endian. Using the following data that was unpacked from binary and converted to hex we get the following translation:


d907 0200 0200 1800 1700 1400 2500 0001

Year = h4 = d907 = 07d9 = 2009

Month = h4 = 0200 = 0002 = Month {Jan = 1, Feb = 2, etc....}

Weekday = h4 = 0200 = 0020 = Weekday {Sunday = 0, Monday = 1, etc...}

date = h4 = 1800 = 0018 = 24

hour = h4 = 1700 = 0017 = 23

minutes = h4 = 1400 = 0014 = 20

Seconds = h4 = 2500 = 0025 = 37

The Month and Weekday fields have to be converted to their proper Month and weekday name.

which would yield the following:

Date First Connected: Tuesday, 24 February 2009 23:20:37

Here is the perl code to do the above, I only include the $data as a place holder that would need to get data fed to it:

use strict;

# This is the binary data that would be read from the registry file
my $data = "";

my %month_type = (1 => "January",
2 => "February",
3 => "March",
4 => "April",
5 => "May",
6 => "June",
7 => "July",
8 => "August",
9 => "September",
10 => "October",
11 => "November",
12 => "December");

my %dayofweek_type = (0 => "Sunday",
1 => "Monday",
2 => "Tuesday",
3 => "Wednesday",
4 => "Thursday",
5 => "Friday",
6 => "Saturday");

my ($year, $month, $weekday, $date, $hour, $minute, $second ) = unpack("h4 h4 h4 h4 h4 h4 h4", $data);

#This part converts the year
my $finalyear= hex(reverse $year);

#Now we convert the month
my $monthnumber=hex(reverse $month);
my $finalmonth = $month_type{$monthnumber};

#Now we convert the weekday
my $weekdaynumber=hex(reverse $weekday);
my $finalweekday = $dayofweek_type{$weekdaynumber};

# This converts the date
my $finaldate=hex(reverse $date);

#This converts the hour
my $finalhour=hex(reverse $hour);

#This converts the minute
my $finalminute=hex(reverse $minute);
my $howlongisfinalminute=length($finalminute);
if ($howlongisfinalminute == 1){
if ($finalminute eq "0"){

#This converts the second
my $finalsecond=hex(reverse $second);
my $howlongisfinalsecond=length($finalsecond);
if ($howlongisfinalsecond == 1){
my $finalsecond="0$finalsecond";
if ($finalsecond eq "0"){

my $ssidtimestamp= "$finalweekday, $finaldate $finalmonth $finalyear $finalhour:$finalminute:$finalsecond";
if ($n =~ /Created/){
$finaln="Date First Connected:";
} else {
$finaln="Date Last Connected:";

print "$finaln $ssidtimestamp\n";


Keydet89 said...

Here's the code I use in the RegRipper plugin I wrote:

sub parseDate128 {
my $date = $_[0];
my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul",
my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date);
$hr = "0".$hr if ($hr < 10);
$min = "0".$min if ($min < 10);
$sec = "0".$sec if ($sec < 10);
my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr;
return $str;

Andrew H said...

Thanks folks, nice!

Anonymous said...

There is a tool out there that does this as well. It does a few others from what I have seen.


swkenney said...

The last 4 bytes represent thousandths of a second. Range 0 to 3e7h or 0 to 999 decimal.

swkenney said...

DateDecoder.exe by the way does not handle the last 4 bytes correctly. DateDecoder.exe is the program in DateDecoder.zip mentioned above.

Chloe said...

A great post with on the topic as to how one can decode the that SSID values, using Windows 7 or Vista. Great piece of infomration shared well done....

Discount Steel Buildings

Vasily Kolobkov said...

Just in case - that date time structure is called SYSTEMTIME. It's one of the datetime representations (along with FILETIME) you can come across while parsing registry.

John said...

Nice Blogging,
UTAH : Utah Web Design http://www.adaptivitypro.com/utah-web-design/

John said...

Very good blogging,
Utah SEO Adaptivity Pro premier seo services provider based in Utah.

Web Application Development said...

What a constructive blog! Much more people should do the same! Thank you very much.

jhon said...

Just would like to know does SSID stands for Session ID or some thing else.... ?

Hair Transplant Islamabad

Unknown said...

service set identifier

mad men season 4 dvd australia said...

I am not very good at math. so I often type the wrong nummber.

Free SMS said...

SSID values, haven't they got any relationship with WIFI setting or similar... ???

alistair1 said...

This helped with my
computer forensics work. I was stuck.

f4v to youtube said...

Some say it will be hotlink acreage as accomplished website page will be abounding of links (ads) so may be Search Engines won’t like it.

pay per head said...

Hey, there's a great deal of helpful information above!

hermes so black birkin said...

Thanks for sharing the nice pictures. You have done a great work. Every homeowner can benefit from property management services.

SIFS INDIA said...

2443, Basement,
Hudson Lane,
Kingsway Camp,
Delhi - 110009
Email: education@sifsindia.com

Website: www.sifs.in

karimun jawa said...

Ingin Liburan Ke Karimunjawa , ingin Paket Wisata Karimunjawa murah, Hubungi kami Tour Karimunjawa island +6285201391216 (Syaiful) PIN BB 30c9f29c. Ayo datang ke karimun jawa bersama keluarga, dengan mengikuti paket wisata karimunjawa yang termasuk biro wisata karimun jawa berpengalaman karena memberikan paket karimun jawa murah,anda sudah Bisa menikmati Wisata Karimunjawa di pulau Karimunjawa atau Karimunjawa island. lanjut bisa menghubungi www.tourkarimunjawaisland.com. Untuk mendapatkan pilihan paket Honeymoon Karimunjawa , paket Diving Karimunjawa , paket Hotel Nirvana karimunjawa , paket omah alchy karimunjawa dan Paket Murah karimunjawa , paket hotel karimunjawa, paket homestay karimunjawa, paket 2 hari 1 malam karimunjawa, paket 3 hari 2 malam karimunjawa, paket 4 hari 3 malam karimunjawa, paket 2 h 1 m karimunjawa, paket 3 h 2 m karimunjawa, paket 4 h 3 m karimunjawa. untuk Paket karimunjawa dan karimunjawa murah, hanya di karimunjawa tour
Ingin Liburan Ke Karimunjawa , ingin Paket Wisata Karimunjawa, Hubungi kami Tour Karimunjawa dan Wisata Karimunjawa

tenun ikat said...

Amazing post, Thank you for presenting a wide variety of information that is very interesting to see in this artikle

tour karimunjawa
and toko furniture
or toko mebel
and tenun troso

tenun ikat said...

article from a very amazing, Good Job, Thank you for presenting a wide variety of information that is very interesting to see in this artikle

kursi makan mahoni
kursi makan modern
kursi makan mewah
kursi makan kayu
set kursi makan
kursi makan minimalis
meja makan mahoni
set meja makan
sofa modern classic
kursi tamu minimalis
bufet besar
bufet tv minimalis
buvet tv besar
bufet ukir antik
bufet pajangan
lemari bufet
bufet jati
lemari bufet minimalis
lemari jam pajangan
jam hias jati
nakas duco
nakas jati
kitchen set jati
set kitchen
set lemari dapur
gazebo taman
gebyok pelaminan
meja belajar
rak buku minimalis
bangku ukiran jepara
bangku ukiran mewah
bangku ukiran
kursi bangku mewah

friv 2 online said...

i think i need it. Thanks for update information. Love it :) Keep on posting!.
i like play games friv 2 | friv2 | friv

clickjogos said...

There is a tool out there that does this as well.
play game click jogos online free | jogos click | clickjogos

Facebook Descargar said...

Thanks for sharing this quality information with us. I really enjoyed reading.

descarga facebook
descargar facebook gratis
descargar facebook plus
descargar facebook