I just started playing with this (great find by the way) and I really like the tool. However, be aware that you have to install Winpcap on any machine you want to use the packet sniffer on.
Many of the times listed in event logs are in the WMI time format (why they decided to use this format in the event logs I'll never know), here is a VBScript Function to convert them to a more easily readable format:
<CODE>
strDate = InputBox("Enter the WMI timestamp here")
wscript.echo WMITimestampConvert(strDate)
'#--------------------------------------------------------------------------
'# FUNCTION.......: WMITimestampConvert()
'# PURPOSE........: Converts WMI Timestamps to a more friendly format.
'# ARGUMENTS......: dtmInstallDate = The WMI timestamp to convert.
'# EXAMPLE........: strDate = InputBox("Enter the WMI timestamp here")
'# wscript.echo WMITimestampConvert(strDate)
'# REQUIREMENTS...: Tested on Win2k, XP, WS2003. Should work on Vista and
'# WS2008.
'# NOTES..........: In the example above, if you enter the WMI timestamp
'# 20011120042924.000000+000 the script will return:
'# 11/20/2001 4:29:24 AM (this is un UTC time, the offset
'# would be different (unless you are in the UTC time
'# zone).
'#--------------------------------------------------------------------------
Function WMITimestampConvert(dtmInstallDate)
WMITimestampConvert = CDate(Mid(dtmInstallDate, 5, 2) & "/" &_
Mid(dtmInstallDate, 7, 2) & "/" & Left(dtmInstallDate, 4) &_
" " & Mid (dtmInstallDate, 9, 2) & ":" &_
Mid(dtmInstallDate, 11, 2) & ":" & Mid(dtmInstallDate, 13, 2))
End Function
That's pretty odd. Was the same version of TC on both machines? I've moved drives that have TC on them plenty of times, and never run into that issue. /wonders_if_he_should_quickly_make_some_unencrypted_backups :)
![[Avatar]](/images/avatar26.png){kind=avatar}
Last 5 comments by JoeG
So far I must say I am very impressed.
Is there ANYTHING that Google CAN'T do?
<CODE>
strDate = InputBox("Enter the WMI timestamp here")
wscript.echo WMITimestampConvert(strDate)
'#--------------------------------------------------------------------------
'# FUNCTION.......: WMITimestampConvert()
'# PURPOSE........: Converts WMI Timestamps to a more friendly format.
'# ARGUMENTS......: dtmInstallDate = The WMI timestamp to convert.
'# EXAMPLE........: strDate = InputBox("Enter the WMI timestamp here")
'# wscript.echo WMITimestampConvert(strDate)
'# REQUIREMENTS...: Tested on Win2k, XP, WS2003. Should work on Vista and
'# WS2008.
'# NOTES..........: In the example above, if you enter the WMI timestamp
'# 20011120042924.000000+000 the script will return:
'# 11/20/2001 4:29:24 AM (this is un UTC time, the offset
'# would be different (unless you are in the UTC time
'# zone).
'#--------------------------------------------------------------------------
Function WMITimestampConvert(dtmInstallDate)
WMITimestampConvert = CDate(Mid(dtmInstallDate, 5, 2) & "/" &_
Mid(dtmInstallDate, 7, 2) & "/" & Left(dtmInstallDate, 4) &_
" " & Mid (dtmInstallDate, 9, 2) & ":" &_
Mid(dtmInstallDate, 11, 2) & ":" & Mid(dtmInstallDate, 13, 2))
End Function
</CODE>
Try 'uptime /a' on your system to get a nice set of information.