Consider using registry keys to get Windows boot time (getting rid of NtQuerySystemInformation, which is unstable)

rdbo / libmem

Advanced Game Hacking Library for C, Modern C++, Rust and Python (Windows/Linux/FreeBSD) (Process/Memory Hacking) (Hooking/Detouring) (Cross Platform) (x86/x64/ARM/ARM64) (DLL/SO Injection) (Internal/External) (Assembler/Disassembler)

GNU Affero General Public License v3.0

764 stars 92 forks source link

Consider using registry keys to get Windows boot time (getting rid of NtQuerySystemInformation, which is unstable) #127

Open rdbo opened 1 year ago

rdbo commented 1 year ago

Check modified time of: HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager\Memory Management\PrefetchParameters\BootId may be a better indicator than using the NT API

rdbo commented 1 year ago

https://learn.microsoft.com/en-us/windows/win32/api/winreg/nf-winreg-regqueryinfokeya

LastWriteTime is useful here

rdbo commented 1 year ago

Another way would be to create a static variable in process.c that stores the Windows boot time from the GetTickCount/GetTickCount64 functions.

rdbo commented 7 months ago

Another possibility: use Unix timestamps across all platforms instead of boot-relative time