What is the time format like 01d15614cbaee92c in Windows Hotfixes?

By Posted on

QUESTION :

The timestamp (InstalledOn) format of Windows Hotfixes’ is not regularity it is showing various types like MM-DD-YYYY, YYYY/MM/DD, YYYYMMDD and 01d15614cbaee92c.

These values can be obtained from Win32_QuickFixEngineering of WMIC.

I would like to know what is a timestamp like 01d15614cbaee92c and how to parse it.

Example data:

Update KB955484 10cd4bf3009a2541
Update KB971512 01cd35e8c07bdeb1
Security Update KB2079403 01cd04587fa78c94
Security Update KB3109094 01d15614cbaee92c

thank you.

ANSWER :

I’ll take a stab at this.

I think the hex values are FILETIMEs, in 64-bit hex representation.

A filetime is

a 64-bit value representing the number of 100-nanosecond intervals since January 1, 1601 (UTC)

Microsoft refers to these 100-nanosecond units as ticks.

Here is a JavaScript function which will convert one of those strings to a JavaScript date, which can you then format in any way you desire. In the example, the console log will display the date in ISO 8601 format.

const getDateFromHexTicks = hex => {
  const ticks = BigInt(`0x${hex}`);
  const ticksPerMs = BigInt(1e4);
  const ms = ticks / ticksPerMs;
  const fileTimeEpochOffset = BigInt(new Date('1601-01-01T00:00:00.000Z').getTime());
  const unixTime = Number(ms + fileTimeEpochOffset);
  const date = new Date(unixTime);
  return date;
};

const date = getDateFromHexTicks('01d15614cbaee92c');
console.log(date.toISOString()); // 2016-01-23T19:32:28.702Z

Referring to the last line in your example data:

Security Update KB3109094 01d15614cbaee92c

indicates that this update was installed at 2016-01-23T19:32:28.702Z

Oops. It is not a solution. Sorry my mistake.

  1. convert 01d15614cbaee92c to decimal: 130980511487027500
  2. remove last 5 numbers: 1309805114870 (see also: https://stackoverflow.com/questions/35765637/convert-hexadecimal-value-to-timestamp-date-and-time)
  3. devide by 1,000 and round up: 1309805115
  4. convert to unix(epoch) time: 1309805115 is equivalent to 07/04/2011 @ 6:45pm(UTC), 2011-07-04T18:45:15+00:00(ISO 8601)

but, KB3109094 was released on 12/05/2015 it is not possible for it to have a timestamp of July 4th 2011. (thanks, @Ramhound)

Leave a Reply

Your email address will not be published. Required fields are marked *