Win7 how to display military time and seconds in a DIR command?

Topic

New Reply

Hardware/Software
. existing HP notebook with Win7 32bit

Symptoms
. to diagnose a virus attack, it helps to know, to the second, when a file
appears. With only a sorted ADMIN DIR output B 4 the restore, it could
only log to the minute. Tho I eventually saw the files it created, seconds
are more accurate in tracking the events THAT AREN’T SUPPRESSED!

Attempts to address
. many; …

… DIR; looked in help, tried /t? w/DIRCMD, searched around; nothing.

… explorer/prop just said “within x hours”, eventually (days/weeks?)
showing the second. HARDLY USEFUL AT THE TIME!!

… powershell.exe looked promising:

1. Get-ChildItem -Path C:xxx -Recurse -Include *.pad >c:DADtempPWR.txt
Directory: C:xxx
Mode LastWriteTime Length Name
—- ————- —— —-
-a— 11/2/2012 7:19 AM 83023306 netdislw.pad
This infected possible data collection file is apx 99% trailing NULLS (00h).

…… unfortunately, when I specify just the root DIR, it gets many
‘denied’ msgs, even under ADMIN, & quits B 4 it gives the answer. Perhaps
there’s some limit somewhere that could be increased to allow an answer.
…… further, the date doesn’t line up (so can’t use sort), is not
military time (sort again) and no seconds, and I really won’t know what
I’m looking for unless/until it happens. Perhaps a script could be
modified/created somehow to do this and print a fixed-column TOD w/seconds.
…… also, if I make some kind of error (ie: looking for *.xyz), it just
says nothing, even w/no REDIR O/P; no clue on what to fix. Even running as
ADMIN fails. Perhaps it says nothing because there are no DSNs.

2. (Get-Item C:xxxnetdislw.pad).lastwritetime.timeofday
Days : 0
Hours : 7
Minutes : 19
Seconds : 30
Milliseconds : 872
…… at least HERE it shows the seconds & more, so, if the DSN still
exists after running rstrui.exe, it could be used. I used this to
verify my new program (below).

Solution

FINALLY addressed it after an all-nighter !!!!!!

I wrote an MASM assembler program using INT21h/4E&Fh with an IBM
mainframe/server flavor (a la VSAM) to chain, then swap multiple “active”
DTA requests per DIR (like RPLs after POINTs), looking for DSNs/DIRs having a
current date. Using CMSort.exe w/the thousand or so I get daily, I make a
.txt file, for example, sorted to the descending second, which runs surprisingly
quick (<1min tho very CPU-intensive w/many PROCMON entries) against the root
drive:

2012/12/17 14:57:22 0000015181 CMSORT.BAT C:DADCMSORT*.*

There is an architected 2-second max discrepency since the # of seconds
provided is / 2. However, that's 30x closer than DIR can provide.
Further, in some instances, for some reason, I'm only provided a CREATE TOD,
as opposed to the typical TIME-LAST-MODIFIED. Finally, by sorting seconds
(or any column), I can find any "invalid" (ie: "already infected") values.

I'd like to hear any other solutions anyone else found for this issue…

Reply | Quote

Replies

For anyone interested, my program is available here:

http://users.foxvalley.net/~qcd/index4.htm

If your platform is x86 and supports the Win32 API,
download the .zip file to a DIRectory and extract it,
then either double-click the .BAT file using Explorer,
or use cmd.exe (the .BAT has the doc). In about a minute
or so, the console window should PAUSE with this message:
date&time 32bit Good: DSNTODAY=0,CMSort=N/A …
but the .log file in your extracted DIR now shows all the
“non-System” files updated today on your C: drive in
“alphabetical” order. The first run may have to perform
disk I/O, but still should run in less than a minute.
This “N/A” failure is just until the .BAT file knows about
CMSort, when the file can be sorted by descending date&time.
You can also change the last statement and “remove the rem”
and just leave the PAUSE at the end, to see any other type
of failure other than described above (I’ve had a few).

This is kinda what I was expecting PowerShell to do.
An issue with a DIR /o-d is that it doesn’t span directories.
I set this up to AUTOMATICALLY and SILENTLY run at intervals
with Task Scheduler, showing files&DIRs updated today;
you can decide whether to append or over-write the log file
whenever and however you decide to run it.

Perhaps businesses that offer guests Internet access would
find this beneficial for both, or for parents monitoring what
their children surf to, or for anyone that got infected to
easily find the bogus file(s) and when they were implanted,
or to find ANY files that have a logically-bogus date&time.

Have fun…

NOTE: CMSort.exe can be downloaded from here:
http://www.chmaas.handshake.de/delphi/freeware/cmsort/cmsort.htm

Reply | Quote

I added an option to watch for any executable files that were recently implanted,
based on the PATHEXT Environment Variable, plus a few more. This means that, for
example, if a file, such as a .dll, a .lnk, a .exe, or more, is CREATED by a trojan,
even if its’ attributes are System and/or Hidden, I’ll now see them within 5 minutes
(the minimum time allowed by Windows Task Scheduler), and the sort places them at
the top. This now replaces what I used to do manually every day using multiple
sorted ADMIN DIR outputs for monitoring executables, while the regular run monitors
any other files that are UPDATED.

Reply | Quote

I added an external monitor that will beep within 5 minutes whenever an executable
is detected with the current date. This way, even when surfing under the GUEST LID,
I can use audio cues to keep track of my system…

Reply | Quote

I find the simplest way to display the 24-hour clock in times is to live in a country/locale where this time format is the default for Windows computer displays!

BATcher

Plethora means a lot to me.

Reply | Quote

@BATcher: What an excellent and concise response/recommendation!! (Made my day!)

My Rig: AMD Ryzen 9 5900X 12-Core CPU; ASUS Cross Hair VIII Formula Mobo; Win 11 Pro (64 bit)-(UEFI-booted); 32GB RAM; 2TB Corsair Force Series MP600 Pro 2TB PCIe Gen 4.0 M.2 NVMe SSD. 1TB SAMSUNG 960 EVO M.2 NVME SSD; MSI GeForce RTX 3090 VENTUS 3X 24G OC; Microsoft 365 Home; Condusiv SSDKeeper Professional; Acronis Cyberprotect, VMWare Workstation Pro V17.5. HP 1TB USB SSD External Backup Drive). Dell G-Sync G3223Q 144Hz Monitor.

Reply | Quote

Thank you – it was intended to be amusing, but was absolutely no help at all to the OP…

BATcher

Plethora means a lot to me.

Reply | Quote

@BATcher: You succeeded admirably!

My Rig: AMD Ryzen 9 5900X 12-Core CPU; ASUS Cross Hair VIII Formula Mobo; Win 11 Pro (64 bit)-(UEFI-booted); 32GB RAM; 2TB Corsair Force Series MP600 Pro 2TB PCIe Gen 4.0 M.2 NVMe SSD. 1TB SAMSUNG 960 EVO M.2 NVME SSD; MSI GeForce RTX 3090 VENTUS 3X 24G OC; Microsoft 365 Home; Condusiv SSDKeeper Professional; Acronis Cyberprotect, VMWare Workstation Pro V17.5. HP 1TB USB SSD External Backup Drive). Dell G-Sync G3223Q 144Hz Monitor.

Reply | Quote

Are you just joking? I tried changing the time zone a long time ago, and tho
the time actually changes in DIR’s output, the format does NOT. I had also
tried Region and Language (ie: UK, Germany, Poland, Singapore), add’l settings,
and played with various Date and Time formats; again, the actual time changed
(some were military time as you indicated), but not the format: DIR stubbornly
remains the same.

Is there a way to actually get DIR to show seconds or not? It seems to only
show the Short time, which does NOT show seconds. If I can somehow tell DIR to use
the Long time, then perhaps seconds would finally show…

Reply | Quote

No, DIR does not give seconds in the File Modified time which it produces on screen, only hh:mm format (here in the UK). As far as I remember (which isn’t far!), this hasn’t been changed since the days of PC-DOS / MS-DOS. It was a design decision, I assume.

There will undoubtedly be free and paid-for third-party utilities available which would display hh:mm:ss, but I don’t use any of them so can’t suggest any.

BATcher

Plethora means a lot to me.

Reply | Quote