Skip Nav
The 4N6 Post
TimeZoneInformation

 

The Windows registry is a critical component of the Windows operating system. It stores important configuration data and settings that help the operating system function properly. One of the registry keys that play an important role in the functioning of the system is the TimeZoneInformation registry key. In this blog post, we'll delve into the registry TimeZoneInformation, its connection with the Dynamic Link Library (DLL) it uses, and how it is used in both normal and malicious scenarios.

Summary Points

Something worth noting ahead time if you plan to skim the article is:

  • -300 is equal to 5 hours behind UTC time, calculated in Minutes.
  • -/+60 is more than likely reference to daylight saving adjustment time count. Calculated in Minutes
  • Alot of the timezone data is calculated live in real time by referencing the Registry, and does not show data such as -360 when it should be (-300)+(-60)=(-360).  
  • tzres.dll, -112 is the String ID that references which TimeZone is applicable. There is normally 2-3 for each Time zone as not all timezone use Day Light Savings.
110 (UTC-05:00) Eastern Time (US & Canada)
111 Eastern Daylight Time
112 Eastern Standard Time




Key Locations


HKEY_LOCAL_MACHINE\
SYSTEM\ControlSet001\Control\TimeZoneInformation




HKEY_LOCAL_MACHINE\
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones


Changing the current TimeZone via Registry

The registry section involving TimeZoneInformation can be found by opening the Registry Editor (regedit) and navigating to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation


Uses

In a normal use case, the TimeZoneInformation registry key is used to ensure that the correct time and date are displayed on the system. For example, if a user travels from one time zone to another, the operating system can automatically adjust the time and date display to match the new time zone. This is achieved by updating the information stored in the TimeZoneInformation registry key.

    Here is the TimeZoneInformation comparing EST and NST:





However, the TimeZoneInformation registry key can also be used for malicious purposes. For example, attackers can use the TimeZoneInformation registry key to change the time zone information and make it appear as though the system is in a different location. This can be used to evade detection or to make it appear as though certain actions were taken at a different time. Attackers can also use the TimeZoneInformation registry key to bypass security measures that rely on accurate time information, such as time-based authentication or logging.

DLL's

tzres.dll

The tzres.dll file is a dynamic-link library (DLL) that contains the time zone resources for the Windows operating system. The file is used by the operating system and applications to access the time zone information stored in the registry. This will display the time, date, and other time-related information for the specific time zone. It is also used by applications and services that need to convert dates and times between different time zones.

The tzres.dll file is located in the %windir%\system32 directory, where %windir% is the Windows installation directory (e.g., C:\Windows). The file is loaded by the operating system when it starts up and is used by the operating system and applications to access the time zone information stored in the registry.

    The DLL file is used by Microsoft to account for changes in the rules for Daylight Saving Time and other time-related information. The updates are made available through Windows Update, and the operating system checks the file to determine if the time zone information stored in the file is up-to-date. If an update is available, the operating system downloads and installs the update, updating the tzres.dll file as needed.

Registry Contents

    SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones

    Looking at the "~\CurrentVersion\Time Zones",  this is a registry key in the Windows operating system that is used to store information about the version of the time zone database used by the system. The time zone database is a collection of information about the world's time zones, including the rules for Daylight Savings Time and UTC offsets for each time zone which is calculated in minutes. Keeping time zones up-to-date can be a complex task for developers as each location of the world consistently updates their own rules. 

You can find the latest windows updates which reference timezones on the Learn.Microsoft.com - Daylight saving time help and support

    For video analysis of this you can check out Computerphile YouTube


    TzVersion:  This object contains the version of the time zone database used by the system. The value of this object is a binary representation of the version of the database, and is used by the operating system to determine if the time zone information stored in the registry is up-to-date. Microsoft uses this number as reference to use during Windows Updates and if the updates occur, the appropriate registry locations will be updated.


Display Bias

A display bias is a value that is added to or subtracted from the time in a time zone in order to display the time in a different time zone. This primary would only affect Visual points for the user. You might see examples 
Each of the Time Zones sub keys such as Alaskan Standard Time or Atlantic Standard Time contains a list of Objects with values. 

    These keys are or could be:

  1. TzSpecificLocalTime: This object contains information about the specific local time for a time zone. It includes information such as the UTC offset, whether Daylight Saving Time is used, and the dates and times when Daylight Saving Time begins and ends.
  2. TzStandardName: This object contains the display name of the standard time for a time zone, as it is intended to be shown to the user.
  3. TzDaylightName: This object contains the display name of the Daylight Saving Time for a time zone, as it is intended to be shown to the user.
  4. Display: This object contains a value that indicates whether the time zone is selected to be displayed in the user interface.
  5. Dynamic DST: This object contains information about the dynamic Daylight Saving Time for a time zone. It includes information such as the UTC offset, whether Daylight Saving Time is used, and the dates and times when Daylight Saving Time begins and ends.
  6. Std: This object contains information about the standard time for a time zone. It includes information such as the UTC offset, whether Daylight Saving Time is used, and the dates and times when Daylight Saving Time begins and ends.

  8. MapID: This object contains a value that maps the time zone to a specific geographic location.
  9. TZI: This is the only object stored in REG_BINARY. The number is stored in hex and when deciphered will be the offset from GMT/UTC. You will see this as The NST example contains 
D2 00 00 00 00 00 00 00
C4 FF FF FF 00 00 0B 00
00 00 01 00 02 00 00 00
00 00 00 00 00 00 03 00
00 00 02 00 02 00 00 00
00 00 00 00                    

Converted Value: 210 
(This represents 210 Minutes or 3.5 Hours // This is also seen readable in the Display Key)

Dynamic DST Key Contains older DST keys under the year as the value. The 32-bit value that specifies the date for which the DST transition information applies.

The TzVersion key is a hex binary value that represents the version of the time zone database used by the system. The value of this key is calculated by encoding the version of the database in hex binary form. The exact format of the TzVersion key depends on the version of Windows being used, but it generally includes information about the version of the time zone database and a revision number that is used to track changes to the database.


The TzVersion key is used by the operating system to determine if the time zone information stored in the registry is up-to-date. When the operating system starts up, it checks the TzVersion key against the version of the time zone database stored on the system. If the TzVersion key indicates that the database is out of date, the operating system updates the database and updates the TzVersion key to reflect the new version.

SYSTEM\ControlSet001\Control\TimeZoneInformation

  1. ActiveTimeBias: A 32-bit value that specifies the current bias value for the active time zone, in minutes.
  2. Bias: A 32-bit value that specifies the bias value for the current time zone, in minutes.
  3. DaylightBias: A 32-bit value that specifies the bias value to be used during Daylight Saving Time (DST), in minutes.
  4. DaylightName: A string value that specifies the name of the time zone during Daylight Saving Time (DST).
  5. DynamicDaylightTimeDisabled: A 32-bit value that indicates whether dynamic Daylight Saving Time (DST) calculations are enabled (value is 0) or disabled (value is 1). (Why are positive Disabled used in Names? This makes it confusing.... But I digress.)
  6. StandardBias: A 32-bit value that specifies the bias value to be used during Standard Time, in minutes.
  7. StandardName: A string value that specifies the name of the time zone during Standard Time.
  8. TimeZoneKeyName: A string value that specifies the name of the current time zone, as defined in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones registry key.

TimeZone Call

At a core level, the TimeZoneInformation registry key uses the dll file "kernel32.dll" to access the information stored in the registry. This DLL file contains a number of functions related to time and date management, including the GetTimeZoneInformation dll function. This function is used to retrieve the time zone information stored in the registry location "SYSTEM\ControlSet001\Control\TimeZoneInformation" registry key. The operating system uses this information to adjust the time and date display accordingly.

Putting the DSTs together

In this section we are going to shortly make sense of some of the fields.
 

When we look at the objects Display/Dlt/Std with an associating MUI_<Name> as the representation for the number. (MUI stands for Multilingual User Interface)

In this example we are looking at -70 / -71 / -72.
Each section is providing the information to the associated number. Which can be referenced using the tzres.dll. These are individually numbered using the negative number between each TimeZone<Name>.
These data points are populated by the tzres.dll.

    

Event Log

%SYSTEM ROOT%\System32\winevt\logs\System.evtx

Within the System Event log, a log is generated when the time zone is changed on the system.
Looking at event ID 6013 you can find information reguarding Time Zone changes including system uptime with the TimeZone, as well as the ComputerName, Time of change.



Conclusion

    In conclusion, the registry TimeZoneInformation is a critical component of the Windows operating system that is used to store time zone information. The information stored in this key is used by the operating system to display the correct time and date, as well as to adjust for DST. The TimeZoneInformation registry key uses the kernel32.dll file to access the information stored in the registry, and it can be used for both normal and malicious purposes. Understanding the registry TimeZoneInformation and its connection with the dll file is important for anyone who works with the Windows operating system, as it can help them troubleshoot issues related to time and date management.



https://www.sans.org/posters/windows-forensic-analysis/


Additional Sources:

  • The Problem with Time & Timezones - Computerphile YouTube
  • Windows 7 DLL File Information - tzres.dll @ win7dll.info
    • This contains the String ID such as the numbers for TimeZones
  • Windows 10 DLL File Information - tzres.dll @ http://windows10dll.nirsoft.net

Post a Comment

Post a Comment