Windows InstallTime vs InstallDate Registry Values

This is just a quick post about two Registry Values InstallTime and InstallDate which are found under the following key:
SOFTWARE\Microsoft\Windows NT\CurrentVersion

The confusion happens when my students ask which one is correct? The answer is aquatically both! Yes, both are correct. The only difference is InstallDate is a Unix 32-bit Timestamp, while InstallTime is a Windows 64-bit Timestamp.

As you can see in the screenshots below (SOFTWARE hive loaded using Registry Explorer), the proof that they are both the same. I’ve used DCode for this task, even though you could just rely on Registry Explorer from Eric Zimmerman by right clicking on the value and choosing “Data interpreter”.



Don’t forget to adjust your timezones.

That’s all for now!

About [email protected]

[Between Teams of Red and Blue, I'm with the Purple Team]
This entry was posted in Forensics, Windows and tagged , , , , , , . Bookmark the permalink.