public
Last active

NTFS volume creation timestamp

  • Download Gist
Makefile
Makefile
1 2 3 4 5
CC = i486-mingw32-gcc
LDFLAGS = -lntoskrnl -lntdll
 
volumeinfo.exe: volumeinfo.c
$(CC) -o $@ $< $(LDFLAGS)
README.md
Markdown
volumeinfo.c
C
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108
#include <stdio.h>
#include <windows.h>
#include <ddk/ntddk.h>
#include <ddk/ntifs.h>
 
void PrintNtError(char *msg, NTSTATUS status) {
char *errmsg;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
RtlNtStatusToDosError(status),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &errmsg,
0,
NULL);
printf("%s: %s\n", msg, errmsg);
LocalFree(errmsg);
}
 
void PrintWin32Error(char *msg, DWORD err) {
char *errmsg;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
err,
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &errmsg,
0,
NULL);
printf("%s: %s\n", msg, errmsg);
LocalFree(errmsg);
}
 
int displayInfo(char *path) {
HANDLE fh;
NTSTATUS st;
IO_STATUS_BLOCK sb;
char buf[1024];
PFILE_FS_VOLUME_INFORMATION pfi;
 
fh = CreateFile(path,
GENERIC_READ,
FILE_SHARE_READ | FILE_SHARE_WRITE | FILE_SHARE_DELETE,
NULL,
OPEN_EXISTING,
0,
NULL);
 
if (fh == INVALID_HANDLE_VALUE) {
PrintWin32Error("open(C:)", GetLastError());
return 1;
}
 
st = NtQueryVolumeInformationFile(fh,
&sb,
&buf,
sizeof(buf),
FileFsVolumeInformation);
 
if (!NT_SUCCESS(st)) {
PrintNtError("NtQueryVolumeInformationFile", st);
return 1;
}
 
pfi = (PFILE_FS_VOLUME_INFORMATION) buf;
int CreationTimeUx;
if (pfi->VolumeCreationTime.QuadPart == 0)
CreationTimeUx = 0;
else
CreationTimeUx = (pfi->VolumeCreationTime.QuadPart / 10000000) - 11644473600;
printf("volume creation time: nt=0x%08lx%08x unix=%u\n",
pfi->VolumeCreationTime.HighPart,
pfi->VolumeCreationTime.LowPart,
CreationTimeUx);
 
CloseHandle(fh);
 
return 0;
}
 
int main(int argc, char *argv[]) {
int i, r = 0, len;
char *path, *p, *q;
 
if (argc < 2) {
fprintf(stderr,
"Usage: %s <volume>\n"
"\n"
"<volume> is a volume name in the Win32 namespace; for example,\n"
"\n"
" \\\\?\\C:\n"
" \\\\?\\Volume{590fd828-8520-11df-9c05-0016383a46bf}\n",
argv[0]);
return 2;
}
 
for (i = 1; i < argc; i++) {
if (strncmp(argv[i], "\\\\?\\", 4) != 0) {
fprintf(stderr, "error: not a Win32 namespace path: %s\n", argv[i]);
continue;
}
 
printf("volume path: %s\n", argv[i]);
r = displayInfo(argv[i]);
printf("\n");
if (r)
return r;
}
return 0;
}

Please sign in to comment on this gist.

Something went wrong with that request. Please try again.