Windows FILETIME
From Just Solve the File Format Problem
(Difference between revisions)
(Category:Date and time formats) |
|||
| Line 16: | Line 16: | ||
* [https://articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/ Forensic Focus: Interpretation of NTFS Timestamps] | * [https://articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/ Forensic Focus: Interpretation of NTFS Timestamps] | ||
| + | [[Category:Date and time formats]] | ||
[[Category:Microsoft]] | [[Category:Microsoft]] | ||
[[Category:Windows]] | [[Category:Windows]] | ||
Revision as of 15:01, 23 July 2017
Windows FILETIME is a timestamp format associated with Microsoft Windows, and with NTFS. It appears in some file formats, for example Microsoft Compound File.
It is a 64-bit integer representing the number of 100-nanosecond intervals since the beginning of the year 1601, UTC (ignoring leap seconds). Evidence suggests that the high bit is reserved, and the other 63 bits represent an unsigned integer. This means it can represent dates from about the years 1601 to 30828.
Because the traditional Windows API did not use 64-bit integers, it is often represented as a structure (named "FILETIME", of course) containing two 32-bit integers.
Despite its name, it is often used for things other than timestamps of files.
