Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Convert Reg_Binary Data to Date using Powershell

Posted on 2013-01-15
3
Medium Priority
?
2,771 Views
Last Modified: 2013-01-16
I need some help converting data out of the registry and figuring out what the last shutdown time of the workstation is/was.

I am using the PSRemoteRegistry module to get the value from the remote machine and need to convert it to a readable date.

Please see code below:

Import-Module PSRemoteRegistry

$key = "SYSTEM\CurrentControlSet\Control\Windows"

$data = (get-regbinary -computerName "xxx" -key $key -Value "ShutdownTime").data

Open in new window


The output of this gives me:
2
23
223
209
87
243
205
1

Thanks
0
Comment
Question by:dhalliday
3 Comments
 
LVL 7

Expert Comment

by:John Jennings
ID: 38780567
Use this powershell command instead of the script you've written. It's only one line, and will automatically show you the last registered shutdown event in the System event log.

Get-WinEvent -FilterHashtable @{logname='system';id=6006} -MaxEvents 1

Open in new window


PS - You can add "-ComputerName {nameofremotemachine}" (without quotes) to the snippet above to run it on a remote machine.
0
 
LVL 71

Accepted Solution

by:
Qlemo earned 2000 total points
ID: 38780601
It's a FileTime structure, constructing a 64 bit integer.
$key = "SYSTEM\CurrentControlSet\Control\Windows"
$data = (get-regbinary -computerName "xxx" -key $key -Value "ShutdownTime").data
$time = [DateTime]::FromFileTime( (((((($data[7]*256 + $data[6])*256 + $data[5])*256 + $data[4])*256 + $data[3])*256 + $data[2])*256 + $data[1])*256 + $data[0])

Open in new window

or
$key = "SYSTEM\CurrentControlSet\Control\Windows"
(get-regbinary -computerName "xxx" -key $key -Value "ShutdownTime").data | foreach-object `
-Begin { $time = 0; $i = 0 } `
-Process { $time += $_ * [math]::Pow(256,$i++) } `
-End { $time = [DateTime]::FromFileTime($time) }

Open in new window

Note that the Registry shutdown time is a few seconds behind the eventlog entry.
0
 

Author Closing Comment

by:dhalliday
ID: 38782818
Thanks for the quick turn around on the solution.  It worked perfectly.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

My attempt to use PowerShell and other great resources found online to simplify the deployment of Office 365 ProPlus client components to any workstation that needs it, regardless of existing Office components that may be needing attention.
A walk-through example of how to obtain and apply new DID phone numbers to your cloud PBX enabled users that are configured in Office 365. Whether you have 1, 10 or 100+ users in your tenant, it's quite easy to get them phone-enabled and making/rece…
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question