[Libguestfs] [Hivex][PATCH v2] Report last-modified time of hive root and nodes
Richard W.M. Jones
rjones at redhat.com
Fri Aug 12 07:54:26 UTC 2011
On Thu, Aug 11, 2011 at 11:08:38PM -0700, Elizabeth Schweinsberg wrote:
> >> On Wed, Aug 10, 2011 at 01:24:05PM -0700, Alex Nelson wrote:
> >>> These changes are bringing the hivexml program into a file system
> >>> analysis suite that deals with many different file system types,
> >>> each with their own timestamp recording quirks, and even some file
> >>> formats which have yet more quirks. We think that ISO 8601 is the
> >>> best umbrella output format, with an additional XML attribute noting
> >>> the time granularity (like FAT's 2-second and 1-day granularities).
> >>> That's why we're outputting strings in C, which, yes, feels wrong,
> >>> but simplifies parsing outside of the scope of hivexml. We're
> >>> dealing with the time presentation proactively.
> >>
> >> Reading this over again, I think you may be confusing how the hivex
> >> API/library returns the data and how hivexml displays the data. The
> >> two are completely different things. You can have hivexml displaying
> >> the data as an ISO 8601 string (in fact, I would say that is a very
> >> good choice). But that does not in any way require that the C API
> >> returns a string.
> >
> > Ah, understood. Ok, in that case I'm fine with changing things as you suggested. Next patch coming soon.
>
> Please, please, please don't return the Windows time. Python does not
> have a library or function for dealing with the Windows time, but it
> does handle ISO 8601. And UNIX epoch. And a quick search for Perl
> doesn't show anything for Windows timestamp in the top 5, but also has
> a module for ISO8601.
You don't need a module for Windows filetime, since you can write a
conversion function in a few lines of code:
----------------------------------------------------------------------
#!/usr/bin/python
filetime = 128166372003061629L
#filetime = 116444736000000000L # 1970-01-01
windows_tick = 10000000
sec_to_unix_epoch = 11644473600L
time_t = filetime / windows_tick - sec_to_unix_epoch
from datetime import datetime
print datetime.fromtimestamp (time_t).strftime('%F %T')
----------------------------------------------------------------------
(adapted from
http://stackoverflow.com/questions/6161776/convert-windows-filetime-to-second-in-unix-linux )
Rich.
--
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
virt-top is 'top' for virtual machines. Tiny program with many
powerful monitoring features, net stats, disk stats, logging, etc.
http://et.redhat.com/~rjones/virt-top
More information about the Libguestfs
mailing list