The Windows registry is a critical component of the Windows operating system. It stores important configuration data and settings that help the operating system function properly. One of the registry keys that play an important role in the functioning of the system is the TimeZoneInformation registry key. In this blog post, we'll delve into the registry TimeZoneInformation, its connection with the Dynamic Link Library (DLL) it uses, and how it is used in both normal and malicious scenarios.
Summary Points
Something worth noting ahead time if you plan to skim the article is:
- -300 is equal to 5 hours behind UTC time, calculated in Minutes.
- -/+60 is more than likely reference to daylight saving adjustment time count. Calculated in Minutes
- Alot of the timezone data is calculated live in real time by referencing the Registry, and does not show data such as -360 when it should be (-300)+(-60)=(-360).
- tzres.dll, -112 is the String ID that references which TimeZone is applicable. There is normally 2-3 for each Time zone as not all timezone use Day Light Savings.
110 | (UTC-05:00) Eastern Time (US & Canada) |
111 | Eastern Daylight Time |
112 | Eastern Standard Time |
Key Locations
HKEY_LOCAL_MACHINE\
SYSTEM\ControlSet001\Control\TimeZoneInformation
HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Time Zones
Changing the current TimeZone via Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation
Uses
DLL's
tzres.dll
Registry Contents
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones
Looking at the "~\CurrentVersion\Time Zones", this is a registry key in the Windows operating system that is used to store information about the version of the time zone database used by the system. The time zone database is a collection of information about the world's time zones, including the rules for Daylight Savings Time and UTC offsets for each time zone which is calculated in minutes. Keeping time zones up-to-date can be a complex task for developers as each location of the world consistently updates their own rules.
You can find the latest windows updates which reference timezones on the Learn.Microsoft.com - Daylight saving time help and support
For video analysis of this you can check out Computerphile @ YouTube
Display Bias
These keys are or could be:
- TzSpecificLocalTime: This object contains information about the specific local time for a time zone. It includes information such as the UTC offset, whether Daylight Saving Time is used, and the dates and times when Daylight Saving Time begins and ends.
- TzStandardName: This object contains the display name of the standard time for a time zone, as it is intended to be shown to the user.
- TzDaylightName: This object contains the display name of the Daylight Saving Time for a time zone, as it is intended to be shown to the user.
- Display: This object contains a value that indicates whether the time zone is selected to be displayed in the user interface.
- Dynamic DST: This object contains information about the dynamic Daylight Saving Time for a time zone. It includes information such as the UTC offset, whether Daylight Saving Time is used, and the dates and times when Daylight Saving Time begins and ends.
- Std: This object contains information about the standard time for a time zone. It includes information such as the UTC offset, whether Daylight Saving Time is used, and the dates and times when Daylight Saving Time begins and ends.
- MapID: This object contains a value that maps the time zone to a specific geographic location.
- TZI: This is the only object stored in REG_BINARY. The number is stored in hex and when deciphered will be the offset from GMT/UTC. You will see this as The NST example contains
The TzVersion key is a hex binary value that represents the version of the time zone database used by the system. The value of this key is calculated by encoding the version of the database in hex binary form. The exact format of the TzVersion key depends on the version of Windows being used, but it generally includes information about the version of the time zone database and a revision number that is used to track changes to the database.
The TzVersion key is used by the operating system to determine if the time zone information stored in the registry is up-to-date. When the operating system starts up, it checks the TzVersion key against the version of the time zone database stored on the system. If the TzVersion key indicates that the database is out of date, the operating system updates the database and updates the TzVersion key to reflect the new version.
SYSTEM\ControlSet001\Control\TimeZoneInformation
- ActiveTimeBias: A 32-bit value that specifies the current bias value for the active time zone, in minutes.
- Bias: A 32-bit value that specifies the bias value for the current time zone, in minutes.
- DaylightBias: A 32-bit value that specifies the bias value to be used during Daylight Saving Time (DST), in minutes.
- DaylightName: A string value that specifies the name of the time zone during Daylight Saving Time (DST).
- DynamicDaylightTimeDisabled: A 32-bit value that indicates whether dynamic Daylight Saving Time (DST) calculations are enabled (value is 0) or disabled (value is 1). (Why are positive Disabled used in Names? This makes it confusing.... But I digress.)
- StandardBias: A 32-bit value that specifies the bias value to be used during Standard Time, in minutes.
- StandardName: A string value that specifies the name of the time zone during Standard Time.
- TimeZoneKeyName: A string value that specifies the name of the current time zone, as defined in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones registry key.
TimeZone Call
Putting the DSTs together
Event Log
%SYSTEM ROOT%\System32\winevt\logs\System.evtx
Conclusion
In conclusion, the registry TimeZoneInformation is a critical component of the Windows operating system that is used to store time zone information. The information stored in this key is used by the operating system to display the correct time and date, as well as to adjust for DST. The TimeZoneInformation registry key uses the kernel32.dll file to access the information stored in the registry, and it can be used for both normal and malicious purposes. Understanding the registry TimeZoneInformation and its connection with the dll file is important for anyone who works with the Windows operating system, as it can help them troubleshoot issues related to time and date management.
Additional Sources:
- The Problem with Time & Timezones - Computerphile @ YouTube
- Windows 7 DLL File Information - tzres.dll @ win7dll.info
- This contains the String ID such as the numbers for TimeZones
- Windows 10 DLL File Information - tzres.dll @ http://windows10dll.nirsoft.net
Post a Comment