Monitor the changes over night as they happen
March and November are the months that gives you the opportunity to test the effects of daylight savings time changes in real time. A day before the change, you can create a simple batch file to create files on your system one minute at a time. It will create the files as the time rolls over and the daylight savings time takes effect.
Create the following batch file and schedule it to run from 11PM to 4AM
REM schedule with
REM C:\Windows\system32>schtasks /create /TN daylight_change /SC MINUTE /MO 1 /TR c:
\monitor.bat /SD 03/08/2014 /ED 03/09/2014 /ST 23:00 /ET 04:00
REM if not using /K to terminate the task, then you can manually remove it
REM schtasks /delete /TN daylight_change /f
REM you can schedule tasks in GUI by running
REM control schedtasks
REM or
REM taskschd.msc
@echo OFF
for /f "tokens=2-4 delims=/ " %%a in ('date /T') do set month=%%a
for /f "tokens=2-4 delims=/ " %%a in ('date /T') do set day=%%b
for /f "tokens=2-4 delims=/ " %%a in ('date /T') do set year=%%c
for /f "tokens=1-3 delims=:/ " %%a in ('time /T') do set hour=%%a
for /f "tokens=1-3 delims=:/ " %%a in ('time /T') do set minute=%%b
for /f "tokens=1-3 delims=:/ " %%a in ('time /T') do set tod=%%c
set time=%month%%day%%year%%hour%%minute%%tod%
dir c:\ > c:\temp\file_%time%.txt
Note: Windows XP does not support /ET and /ST must be in HH:MM:SS format i.e. 23:00:00
Code it to Learn It
Create code and understand the SYSTEMTIME structure that Microsoft uses that might be helpful in other structure analysis later as you investigate new artifacts. Understanding structures helps you develop pattern recognition for closed source systems where low level analysis is needed. Structures are the easier to understand for new to programming if you run some code that uses structures. The TimeZoneInformation registry key can give you a good example of SYSTEMTIME usage and you can use the values to verify your understanding of structures as they are stored. Pay attention to data types especially the size of WORD. You can compile the following code in Visual Studio that should be free to download for students from DreamSpark ( https://www.dreamspark.com/ ) or use a free compiler like Dev-C++ ( http://sourceforge.net/projects/orwelldevcpp/ )
Always use reliable resource as you form your opinion on how data structures work by reading the vendor or developer's documentation and not someone else's interpretation.
http://msdn.microsoft.com/en-us/library/ms724950(v=VS.85).aspx
/*
Read time zone information from registry
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation
Value 2
Name: StandardStart
Type: REG_BINARY
Data:
00000000 00 00 0b 00 01 00 02 00 - 00 00 00 00 00 00 00 00
Value 6
Name: DaylightStart
Type: REG_BINARY
Data:
00000000 00 00 03 00 02 00 02 00 - 00 00 00 00 00 00 00 00
Understand the SYSTEMTIME structure
typedef struct _SYSTEMTIME {
WORD wYear; // 1601 - 30827
WORD wMonth; // Jan(1) - Dec(12)
WORD wDayOfWeek; // Sun(0) - Sat(6)
WORD wDay; // 1 - 31
WORD wHour; // 0 - 23
WORD wMinute; // 0 - 59
WORD wSecond; // 0 - 59
WORD wMilliseconds; // 0 - 999
} SYSTEMTIME, *PSYSTEMTIME;
*/
//Experiment with time values
#include <windows.h> // GetSystemTime, GetLocalTime, SYSTEMTIME
#include<iostream> //cin , cout, endl
//#include <stdio.h> //printf
#include <fstream> // ifstream, ofstream - file stream handling
#include <ctime> //time_t, time(), localtime()
#include<iomanip> //setw(), setfill()
using namespace std;
int main()
{
ofstream outFile;
//log the file times into c:\temp\time_output.txt by appending the values
outFile.open("c:\\temp\\time_output.txt",ios::app);
SYSTEMTIME st, lt;
GetSystemTime(&st);
GetLocalTime(<);
//printf("The system time is: %02d:%02d\n", st.wHour, st.wMinute);
//printf(" The local time is: %02d:%02d\n", lt.wHour, lt.wMinute);
cout<<"The system time is: "<<setw(5)<<st.wHour<<":"<<st.wMinute<<endl;
cout<<" The local time is: "<<setw(5)<<lt.wHour<<":"<<lt.wMinute<<endl<<endl;
outFile<<"The system time is: "<<setw(5)<<st.wHour<<":"<<st.wMinute<<endl;
outFile<<" The local time is: "<<setw(5)<<lt.wHour<<":"<<lt.wMinute<<endl;
outFile.close();
/*
struct tm {
int tm_sec; // seconds of minutes from 0 to 61
int tm_min; // minutes of hour from 0 to 59
int tm_hour; // hours of day from 0 to 24
int tm_mday; // day of month from 1 to 31
int tm_mon; // month of year from 0 to 11
int tm_year; // year since 1900
int tm_wday; // days since sunday
int tm_yday; // days since January 1st
int tm_isdst; // hours of daylight savings time
}
*/
// current date/time based on current system
time_t now = time(0);
cout << "Number of seconds since January 1, 1970: " << now << endl<<endl;
tm *ltm = localtime(&now);
// print various components of tm structure.
cout << " Year: "<<setw(11)<< 1900 + ltm->tm_year << endl;
cout << "Month: "<< setw(11)<<1 + ltm->tm_mon<< endl;
cout << " Day: "<<setw(11)<< ltm->tm_mday << endl;
cout << " Time: "<<setw(5)<< 1 + ltm->tm_hour << ":";
cout << 1 + ltm->tm_min << ":";
cout << 1 + ltm->tm_sec << endl;
return 0;
}
Note: Newer compilers will not allow to use deprecated function localtime(). Use localtime_s() instead.
struct tm timeinfo;
localtime_s(&timeinfo, &now);
cout << " Year: " << setw(11) << 1900 + timeinfo.tm_year << endl;
UTC time stamps provide a more consistent view of file metadata.
Filename | Size (bytes) | Created | Modified | Accessed |
file03092014-01_54_AM.txt | 102262 | 2014-Mar-09 07:54:00.171875 UTC | 2014-Mar-09 07:54:00.203125 UTC | 2014-Mar-09 07:54:00.203125 UTC |
file03092014-01_55_AM.txt | 102262 | 2014-Mar-09 07:55:00.156250 UTC | 2014-Mar-09 07:55:00.187500 UTC | 2014-Mar-09 07:55:00.187500 UTC |
file03092014-01_56_AM.txt | 102262 | 2014-Mar-09 07:56:00.156250 UTC | 2014-Mar-09 07:56:00.187500 UTC | 2014-Mar-09 07:56:00.187500 UTC |
file03092014-01_57_AM.txt | 102262 | 2014-Mar-09 07:57:00.156250 UTC | 2014-Mar-09 07:57:00.187500 UTC | 2014-Mar-09 07:57:00.187500 UTC |
file03092014-01_58_AM.txt | 102262 | 2014-Mar-09 07:58:00.156250 UTC | 2014-Mar-09 07:58:00.187500 UTC | 2014-Mar-09 07:58:00.187500 UTC |
file03092014-01_59_AM.txt | 102262 | 2014-Mar-09 07:59:00.156250 UTC | 2014-Mar-09 07:59:00.187500 UTC | 2014-Mar-09 07:59:00.187500 UTC |
file03092014-03_00_AM.txt | 102262 | 2014-Mar-09 08:00:00.156250 UTC | 2014-Mar-09 08:00:00.187500 UTC | 2014-Mar-09 08:00:00.187500 UTC |
file03092014-03_01_AM.txt | 102262 | 2014-Mar-09 08:01:00.156250 UTC | 2014-Mar-09 08:01:00.187500 UTC | 2014-Mar-09 08:01:00.187500 UTC |
file03092014-03_02_AM.txt | 102262 | 2014-Mar-09 08:02:00.265625 UTC | 2014-Mar-09 08:02:00.328125 UTC | 2014-Mar-09 08:02:00.328125 UTC |
file03092014-03_03_AM.txt | 102262 | 2014-Mar-09 08:03:00.156250 UTC | 2014-Mar-09 08:03:00.187500 UTC | 2014-Mar-09 08:03:00.187500 UTC |
file03092014-03_04_AM.txt | 102262 | 2014-Mar-09 08:04:00.156250 UTC | 2014-Mar-09 08:04:00.187500 UTC | 2014-Mar-09 08:04:00.187500 UTC |
To monitor "fall back" schedule the following task and post your findings here.
ReplyDeletec:\>schtasks /create /TN daylight_change /SC MINUTE /MO 1 /TR c:\monitor.bat /sd 11/01/2014 /ED 11/02/2014 /ST 23:00 /ET 04:00