Re: [Libguestfs] [Hivex][PATCH v2] Report last-modified time of hive root and nodes

On Thu, Aug 11, 2011 at 11:08:38PM -0700, Elizabeth Schweinsberg wrote:
> >> On Wed, Aug 10, 2011 at 01:24:05PM -0700, Alex‎ Nelson wrote:
> >>> These changes are bringing the hivexml program into a file system
> >>> analysis suite that deals with many different file system types,
> >>> each with their own timestamp recording quirks, and even some file
> >>> formats which have yet more quirks.  We think that ISO 8601 is the
> >>> best umbrella output format, with an additional XML attribute noting
> >>> the time granularity (like FAT's 2-second and 1-day granularities).
> >>> That's why we're outputting strings in C, which, yes, feels wrong,
> >>> but simplifies parsing outside of the scope of hivexml.  We're
> >>> dealing with the time presentation proactively.
> >>
> >> Reading this over again, I think you may be confusing how the hivex
> >> API/library returns the data and how hivexml displays the data.  The
> >> two are completely different things.  You can have hivexml displaying
> >> the data as an ISO 8601 string (in fact, I would say that is a very
> >> good choice).  But that does not in any way require that the C API
> >> returns a string.
> >
> > Ah, understood.  Ok, in that case I'm fine with changing things as you suggested.  Next patch coming soon.
> Please, please, please don't return the Windows time.  Python does not
> have a library or function for dealing with the Windows time, but it
> does handle ISO 8601.  And UNIX epoch.  And a quick search for Perl
> doesn't show anything for Windows timestamp in the top 5, but also has
> a module for ISO8601.

You don't need a module for Windows filetime, since you can write a
conversion function in a few lines of code:


filetime = 128166372003061629L
#filetime = 116444736000000000L # 1970-01-01

windows_tick = 10000000
sec_to_unix_epoch = 11644473600L

time_t = filetime / windows_tick - sec_to_unix_epoch

from datetime import datetime
print datetime.fromtimestamp (time_t).strftime('%F %T')

(adapted from
http://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux )


Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines.  Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.

