none
Detecting timezone from the event logs RRS feed

  • Question

  • I'm curious if there are any windows events, either system or application, that would tell me the Time Zone the system is in. If I get event logs (*.evtx) from windows 7 system from customer, how would I find out TimeZone.

    Thanks,

    MDExch

    Monday, September 19, 2016 12:40 PM

Answers

All replies

  • Hi,

    All times displayed for event log events are computed as offsets to Greenwich Mean Time (GMT). When you set the time on your system, you are setting the value for GMT. When you select your local time zone for the system, the appropriate number of hours are added or subtracted to the stored GMT value. This adjusted time is displayed. When "Automatically Adjust for Daylight Saving Time" is selected, an additional hour is added to GMT during daylight savings time.

    If you are viewing another machine remotely across one or more time zones through Event Viewer, the times for events on the remote system appear relative to your local time. In other words, if you are viewing an event remotely that actually occurred at 8:00 PM Central Daylight Time, the time displayed for the event on your computer will be 6:00 PM when you view the event from the Pacific Daylight Time zone.

    If you export the logs and view it on the 2nd machine, same...it will show as GMT relative to your time zone on that 2nd computer.

    Also check this article for reference:

    Event ID 31 — Local Time Zone Configuration:

    https://technet.microsoft.com/en-us/library/cc756587%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Best Regards,

    Tao


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 20, 2016 9:55 AM
    Moderator
  • Hi Tao,

    Thanks for your reply. I understand the event time is computed as offset to GMT. Here is the situation I'm in. I get event logs from a customer in the email, in *.evtx format which I opened in my computer which is in EST. Our software also creates a text log file and the file has debugging logs with time stamp in local time of the system. Now I can't correlate windows events to entries in the text log file. Hence I run into some problem when I've to come up with events in chronological order for troubleshooting the problem. If I have information about what was the offset to GMT when the event actually occurred at the customer site, it would help.

    Regards,

    MDExch

    Tuesday, September 20, 2016 12:45 PM
  • I think I found the event that gives the timezone info that I was looking for.

    Here is the XML view of details of Event ID 6013 from Source: EventLog.

    Log Name:      System
    Source:        EventLog
    Date:          9/19/2016 12:00:12 PM
    Event ID:      6013
    Task Category: None
    Level:         Information
    Keywords:      Classic
    User:          N/A
    Computer:     XXXXX
    Description:
    The system uptime is 254981 seconds.
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="EventLog" />
        <EventID Qualifiers="32768">6013</EventID>
        <Level>4</Level>
        <Task>0</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2016-09-19T16:00:12.000000000Z" />
        <EventRecordID>14399</EventRecordID>
        <Channel>System</Channel>
        <Computer>XXXXX</Computer>
        <Security />
      </System>
      <EventData>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>
        </Data>
        <Data>254981</Data>
        <Data>60</Data>
        <Data>300 Eastern Standard Time</Data>
        <Binary>31002E00310</Binary>
      </EventData>
    </Event>

    If I opened a saved System event log files from the customer system in CST on my system which is in EST, it would show <Data>360 Central Standard Time</Data>

    Tuesday, September 20, 2016 8:02 PM
  • Hi,

    We haven’t heard from you for a couple of days, have you solved the problem?  We are looking forward to your good news.

    Best Regards,

    Tao


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, September 27, 2016 7:27 AM
    Moderator
  • I found answer to my question. Please refer to my reply on 20Sep16. By looking at details of the event, I can find what is the time zone of the system.

    Thanks,

    MDExch

    Wednesday, September 28, 2016 5:20 PM
  • Glad to hear this issue has been solved by yourself. Thanks for sharing,I will introduce this experience to other forum users who face the same condition.Please mark the reply to close this case:)


    Please remember to mark the replies as an answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, September 29, 2016 1:19 AM
    Moderator