3 replies to this topic

[tootypegs]

hi everyone. I would like to examine windows shortcut files (.lnk). I know they contain 3 64 bit windows times and dates for there last accessed, modified and created dates. I would like to be able to extract these from the files if I can but so far i am struggling a lot. I thought about stripping each 8 bit timestamp from the file and converting it but its there a way to get the tim es from the file by using 'getfiletime'? I am struggleing a lot

[Xav]

Hmm... if you're using managed C++ with .NET, there are various APIs to use.

[dargueta]

Wotsit.org has a ton of information on various file formats. You could read the file and process the parts you want yourself. That way you don't have to deal with cumbersome API that you might not know how to use...or might not be available. Just type "lnk" (no quotes) in the search box in the upper right-hand corner and click "Go!". I can't do it because my web browser is being retarded right now.

[dargueta]

LNK File Format search on Wotsit.org

Okay, I did a bit of searching on the Internet. A 64-bit timestamp is the count of 100-nanosecond intervals since January 1st, 1601. (Don't ask me why, I don't know.) There is an API function to convert called FileTimeToSystemTime(). What you need to do is:

[HIGHLIGHT="C"]
#include <windows.h>
...

FILETIME ftime;
SYSTEMTIME systime;

//open file
FILE *lnk = fopen("file_path","rb");
//set file pointer to proper location for read
fseek(lnk,offset_of_time_stamp,SEEK_SET);
//read date stamp
fread(&ftime,sizeof(FILETIME),1,lnk);
//convert
FileTimeToSystemTime(&ftime,&systime);
//do your thing here
[/HIGHLIGHT]

Here is the data you'll need to utilize the output:
SYSTEMTIME structure