etl-parser icon indicating copy to clipboard operation
etl-parser copied to clipboard

Published 20 hours ago verified publisher icon airbus-cert

Question: etl2xml extracts timestamps, but in what format?

Open wilderfield opened this issue 2 years ago • 4 comments

I see this timestamp in my generated xml file:

831654275173

In Windows Performance Analyzer, I see that it correlates to: 22,860,603,300 ns

I can't find any documentation anywhere that defines the timestamp format.

Any clues?

wilderfield avatar Nov 22 '22 20:11 wilderfield

Seems like it might be Windows NTTE time. https://stackoverflow.com/questions/4869769/convert-64-bit-windows-date-time-in-python/4870249#4870249

wilderfield avatar Dec 09 '22 18:12 wilderfield

hi,

up, i have the same question about the timestamp returned by etl2xml ?

etl2xml is run by python 3.10.9 under Linux on a file generated by WindowsUpdate (see attached gzip file) on Windows 10.

the last event record timestamp is 64500090759 corresponding to June 29, 2023 at 09:54:… :

<event type="event" timestamp="64500090759" PID="1008" TID="2404">
  <tracelogging name="Shared">
    <attribute name="Info" value="* END * Service exit Exit code = 0x240001"/>
  </tracelogging>
</event>

here is the timestamp returned by dissect.etl on this last event record, which corresponds to the expected date/time :

<EventHeader version=0 provider_id=196f7a0b-c447-4e45-8c5c-e868d637e4d8 timestamp=2023-06-29 09:54:23.344566+00:00 ThreadId=2404 ProcessId=1008 ActivityId=00000000-0000-0000-0000-000000000000 Extensions=[{'ExtType': <ExtType.PROV_TRAITS: 12>, 'TraitSize': 17, 'ProviderName': b'WUTraceLogging', 'Traits': []}, {'ExtType': <ExtType.EVENT_SCHEMA_TL: 11>, 'EventSchema': b'\x10\x00\x00Shared\x00Info\x00\x01'}]>

regards, lacsaP.

patatetom avatar Jun 29 '23 13:06 patatetom

hi,

the delta between the first and last event record suggests that the timestamp returned by etl2xml is relative (to what ? to the timestamp recorded in the file name ?) and is expressed in 108 seconds. 64500090759 therefore represents 645 seconds.

regards, lacsaP.

patatetom avatar Jul 03 '23 09:07 patatetom

hi,

for the WindowsUpdate.yyyymmdd.hhmmss.sss.n.etl file (eg. my case), the timestamp returned by etl2xml is to be added to a base value stored in the file header (see calculate_timestamp).

this base value could be specified as an attribute to the main <etl> node.

regards, lacsaP.

patatetom avatar Jul 03 '23 14:07 patatetom