使用WQL从WMI查询Win32_NTLogEvent类时，TimeGenerated属性是否基于计算机或GMT的本地时间？

Question

I am writing a C# windows service that is doing some churning through the eventlog on a few domain controllers. Some of them are Windows Server 2003 and some are Windows Server 2008. Upon the service stopping I am attempting to resume where I left off in the logs. In order to do this instead of

SELECT * FROM Win32_NTLogEvent WHERE --criteria for events I am looking for

I am doing

SELECT * FROM Win32_NTLogEvent WHERE TimeGenerated = --some date AND --criteria for events I am looking for

At one point I was convinced that the TimeGenerated field was in the local time of the server but now it seems that the Windows 2008 Servers are using GMT to record that time. Can anyone shed some light on if this is a real different between the way the two operating systems function or is this a configuration problem?

Answer 1

In addition, it seems that in versions prior to Windows Server 2008 TimeGenerated was returned in local time, but changed to GMT in Server 2008, as others have been noticing.

• http://social.msdn.microsoft.com/Forums/en/servercorefordevelopers/thread/e933b476-5d30-4629-955d-6828ec3e8002
• http://www.ms-news.net/f3617/win32_ntlogevent-11570228.html
• http://84.45.57.224/win32-ntlogEvent-timegenerated-is-in-gmt_topic21473.html

Answer 2

Windows time stamps are always recorded in UTC. They will only be converted to local time in whatever GUI program you use to look at the data, like Event Viewer or Explorer (for file times). This behavior is important to avoid random failure on daylight saving time transitions.

Answer 3

Something like this may be helpful:

("Select * from Win32_NTLogEvent Where Logfile = 'Application' AND EventCode = '999' AND Message Like '%message%' AND TimeGenerated = '201202210000000000.000000+***'")

The TimeGenerated syntax is setup backwards so in the above example its yearmonthdaytimeminutesseconds.000000+\\*** the preceding 000000+\\*** is needed.

Hope this helps.