Converting Windows FILETIME Timestamps to Readable Date
search cancel

Converting Windows FILETIME Timestamps to Readable Date

book

Article ID: 292306

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

Provide steps for converting Microsoft FILETIME date format to human-readable date and time

Environment

  • Carbon Black Cloud Sensor: 3.6.x.x and Higher
  • Microsoft Windows: All Supported Versions

Resolution

Via LDAP Epoch Converter

  1. Go to https://www.epochconverter.com/ldap
  2. Enter FILETIME found in log file (AmsiEvents.log, etc.) in input field
  3. Click "Convert 18-digit LDAP to human date/epoch" button to convert to GMT and local timezone date/time

 

Via Command Prompt (cmd.exe)

  1. Launch cmd.exe
  2. Run w32tm.exe and enter FILETIME found in log file (AmsiEvents.log, etc.)
    w32tm.exe /ntte <FILETIME>

Example
w32tm.exe /ntte 132768227825246236
  3. Date and time for local device is output as result
    Example Output
153666 22:19:42.5246236 - 9/22/2021 5:19:42 PM

153666 == ???
22:19:42.5246236 == System time of event from the machine where event occurred; 24-hour format
9/22/2021 == System date of event from the machine where event occurred
5:19:42 PM == Time of event relative to machine where command from step 2 was run; 12-hour format
  4. Comparison between first and second times above can be used to determine offset when looking for related Alerts/Events in Console

 

Via Powershell

  1. Launch powershell.exe
  2. Use Get-Date to convert FILETIME
    (Get-Date 1/1/1601).AddDays(<FILETIME>/864000000000)

Example
(Get-Date 1/1/1601).AddDays(132768227825246236/864000000000)
  3. Date and time for local device is output as result
    Example Output
Wednesday, September 22, 2021 10:19:42 PM

Additional Information

  • Replace all <name> fields with the actual values found, including "<" and ">" (e.g., <FILETIME> becomes 132768227825246236 above)
  • W32tm.exe is the preferred command-line tool for configuring, monitoring, or troubleshooting the Windows Time service
  • Windows devices do not use Linux/Unix Epoch time which starts at 01-Jan-1970; instead FILETIME is the number of 100-nanosecond intervals since 01-Jan-1601
  • The above can be helpful when reviewing items in the AmsiEvents.log file to then search through confer.log files for related Events and details
Powered by Wolken Software