Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Autoruns
  New Posts New Posts RSS Feed - Timestamps values not reality
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

Timestamps values not reality

 Post Reply Post Reply
Author
Message
Soup View Drop Down
Newbie
Newbie
Avatar

Joined: 04 December 2017
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Soup Quote  Post ReplyReply Direct Link To This Post Topic: Timestamps values not reality
    Posted: 04 December 2017 at 10:07pm

Timestamps example: 1914, 2032, 1968, 2000, 2003, etc. not within expected range.

Incorrect timestamps and file information is not a bug within AutoRun. It is the data in the registry or wherever it's getting the data.

If you validate the image source and the data is current and relative to your build, then you should consider it good. I'm sure there will be exceptions, but you should expect these things to have a valid publisher.

 

With very few exceptions you should expect every file to have a publisher. Those that do not should be looked into further. Not always guaranteed to be fake programs.

 

Bad timestamps and file information displayed by AutoRun should be validated. Validated by a right-clicking the item in AutoRun, select jump to the image. The file manager will go to the file image And then select properties of the file details tab. Check the certificate.

 

I believe the information that we see in this erroneous information comes from Microsoft's testing.

Would love to hear from somebody who thinks otherwise.

Back to Top
zebuddi123 View Drop Down
Newbie
Newbie
Avatar

Joined: 10 January 2018
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote zebuddi123 Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2018 at 6:23pm
Hi I`m having the same problems with TimeStamps in Autoruns64.exe  widely wrong  1903, 1921, 2032. So I`m just going to write a small program scan my whole system collect path+filename+datestamp, drop them into a tree gadget and hook them by year date. just to see as Malwarebaytes, Win Defender etc have all  failed to detect anything. ShockedTongue

Will post link to code or exe should any one want it  shortly. ?

Zebuddi.

 

   


Edited by zebuddi123 - 10 January 2018 at 6:24pm
Back to Top
Soup View Drop Down
Newbie
Newbie
Avatar

Joined: 04 December 2017
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Soup Quote  Post ReplyReply Direct Link To This Post Posted: 10 January 2018 at 9:10pm
Timestamps example: 1914, 2032, 1968, 2000, 2003, etc. not within expected range.

Incorrect timestamps and file information is not a bug within AutoRun. It is the data in the registry or wherever it's getting the data.

If you validate the image source and the data is current and relative to your build, then you should consider it good. I'm sure there will be exceptions, but you should expect these things to have a valid publisher.

Back to Top
sredna View Drop Down
Groupie
Groupie


Joined: 24 November 2016
Status: Offline
Points: 64
Post Options Post Options   Thanks (0) Thanks(0)   Quote sredna Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2018 at 2:07am
The timestamps on Windows 10 files are now "wrong" on purpose: https://blogs.msdn.microsoft.com/oldnewthing/20180103-00/?p=97705

Quote Setting the timestamp to be a hash of the resulting binary preserves reproducibility.
Back to Top
Soup View Drop Down
Newbie
Newbie
Avatar

Joined: 04 December 2017
Status: Offline
Points: 6
Post Options Post Options   Thanks (0) Thanks(0)   Quote Soup Quote  Post ReplyReply Direct Link To This Post Posted: 12 January 2018 at 2:37am
The timestamps on Windows 10 files are now "wrong"

Timestamps that we’re talking about are not from files creation timestamps. AutoRun provides a different timestamp data from a registry. this is different from the file creation timestamp and is related to the module's creation. Before Windows 10 the timestamp data provided by AutoRun coincided with the file creation timestamp. Under Windows 10 it is more relevant to say that the timestamp provided by AutoRun has little value in validating whether there was a change to the system data.

Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.