time-zone-information.md

TimeZoneInformation Registry Key

The TimeZoneInformation registry key provides the current system time zone. This is useful for consolidating separate artifacts found on a system to align with one time zone, such as UTC.

Analysis Value

• Endpoint - Enumeration

Operating System Availability

• Windows 11
• Windows 10
• Windows 8
• Windows 7
• Windows Vista
• Windows XP
• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2008 R2
• Windows Server 2008
• Windows Server 2003 R2
• Windows Server 2003

Artifact Location(s)

🔋 Live System:

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

🔌 Offline system:

• File: %SystemRoot%\System32\config\SYSTEM
• Key: SYSTEM\{CURRENT_CONTROL_SET}\Control\TimeZoneInformation

Note

More information on {CURRENT_CONTROL_SET}

Artifact Parsers

• RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the TimeZoneInformation registry key, the value name TimeZoneKeyName will contain the current system time zone.

For examples of what this may look like, execute the command Get-TimeZone -ListAvailable in PowerShell and look at the Id key.

The Bias key contains the numer of minutes between UTC and the system's selected time zone, such that UTC = Local System Time + Bias.

Example

PS> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" -Name *

Bias                        : 360
DaylightBias                : 4294967236
DaylightName                : @tzres.dll,-161
DaylightStart               : {0, 0, 3, 0...}
StandardBias                : 0
StandardName                : @tzres.dll,-162
StandardStart               : {0, 0, 11, 0...}
TimeZoneKeyName             : Central Standard Time
DynamicDaylightTimeDisabled : 0
ActiveTimeBias              : 300

^{_{This example was produced on Windows 10, Version 10.0.19044 Build 19044}}