Needful Things‎ > ‎

w32tm ntte timestamps

So while doing an internal pentest and being questioned by a client and I was forced to do some investigative research across a domain on patches which got pushed to end systems. 

I had to check 100+ different machines to look for why some identified patches from our toolset had been identified 1 week prior and only when the client would try to validate the findings the identified missing patches were no longer being identified.

This was perplexing me to the point of frustration as this was a continual process where the client would tell me my tools were not properly working and that I had to rescan their equipment over and over again. 

I had been given domain admin credentials at the start o the engagement and was using authenticated scanning from industry proven tools. I also made it a point to use numerous built-in applications common to most Windows Admins.

The first thing I did was produced a test file containing all Windows machines I was able to reach and stored this file as

C:\tgt.txt 

Then with the credentials I constructed the following commands:



        wmic /node:@tgt..txt /output:"c:\file.csv" /user:Admin /password:"aA1!" QFE list full



Lets break this down into its sections to properly understand the following 



Wmic - stands for Windows Management Instrumentation Command 
/node:@tgt.txt - reads target systems from a text file in a for loop and iterated the list as an individual target for the command
/output: "c:\file.csv" - produces a file in the c:\ root named file.csv, containing all dumped information from command
/user: Admin - The user name to log into remote machines with, would prefer account which has domain permissions
/password:"aA1!" - The pass needed for the account in question used to authenticate for the systems
QFE - Quick Fix Engineering - specific to patching on the systems in question
list - return a list of objects for the QFE command 
full - returns detailed information from the machines about patching



Now that we understand the command here I encourage you to explore more functionality of the WMIC command since it is very in-depth.

Running this command  generates the a file on the c:\ root directory and when examining this file to find the dates which patches were installed I found numerous systems had human readable dates however others were not so readable. 

Through research I found that the format they were being stored is refereed to as ntte and was introduced in Vista.

The next probe was trying to figure out the way to identify what these dates were and spending time sifting through pages and pages of nonsense from non-technical windows users guessing and other pages which got this formate mistaken for ntpte which is another format used to obscure the installed date/time from human readable.

The command I was finally introduced was w32tm.exe which is usually on NT systems and can be used to convert the 10^7 format back to a more human friendly formate

Since I was only interested in dates which were specific to the times I started and performed the assessment but was unable to identify them I tooled up a script to grab only these dated and then I made a for loop to iterate the times.

One thing to note is that you will need to make the format to match that of Hex, which means to prepend '0x' to the start of the numbers



        01ce06c2b89b679c would become 0x01ce06c2b89b679c



ie: so now we prepended the numbers with the designating '0x' and saved them to a file, again we have no idea what the dates would be in the mentioned Hex format so we needed a way to be able to search for them in a text file which we produced from the WMIC command.

We write a for loop to help with this:



        FOR /F %i IN (c:\time.txt) DO w32tm /ntte %i



Now this will produce a list you can easily identify the proper timestamp for the timeframe you were anticipating to look for and a quick search of the document can easily identify the patch that was installed.

if you'r only trying to identify one specific timestamp and need just to issue the cmd for one instance rather then a for loop then use this



        w32tm /ntte 0x01ce06c2b89b679c 
        150526 13:26:25.2953526 - 2/16/2013 5:26:25 AM



The expected output will now be something more readable and understandable:
And thats it, enjoy ;)

Comments