Hello All,
I am troubleshooting a problem with a 2k3 server that has been throwing Blue Screens. I am trying to figure out how to translate the datestamp to an actual time. Does anyone know the algorithm for windows DateStamp or how to figure out what time this DateStamp is for "45ed063d"?

Thanks,
AJZ

I believe that debug datestamps are in 64bit UTC format from dateline 00:00 January 1, 1601, using 100 nanosecond 'ticks' - but I could well be wrong.

How you decode one to human readable is a whole different question though; fraid I don't have a clue.

what is really important in BSOD analysis is the memory dump file. that is what should be checked, not the time

Sorry, but that's not a proper basis on which to conduct any form of investigation: whilst it's correct to say that the content of the dump are important it is NOT correct to say [or imply] that the time is unimportant. This is especially true if one is seeing repeated events of a similar type on the same machine, or a spread of events across multiple machines.

Knowing precisely when an event occurs can help one to track causes.

In IT Forensics, just as in any other branch of forensics, one NEVER EVER throws any of the evidence away.

well, in 2003 systems, the error times can be viewed in system logs. while BSOD reasons are generally seen in minidump files.
that's not IT forensics, that's experience.

rneuschul, evidence is one thing, but this is not forensic casework. DimaYasny is correct. the MiniDump is the first step (as well as looking at the Event Viewer) to diagnosing a BSOD.

zelkea, what I would suggest, is that you go into the dump settings and change it from a mini dump to a full complete memory dump, you will get far more information.

There is also software that you can download to analyze the dump logs and interpenetrate the information for you.

Hey Guys,
Hehe the confusion in my troubleshooting steps is due to that fact I did not post everything I have done up to this point (following the KISS philosophy in trying to get an answer to my question). I have already reviewed the memory.dmp and events on this box that indicated our backup software as being the culprit.

Rneuschul is correct, the exact time is important to me reason being is the backup software in question backs up lets say transaction for simplicity and the system is crashing when it hits a corrupt/orphaned transaction which are known to exist (long story but unavoidable). Therefore, if I am able to figure out the exact time the server is crashing I can use that information with other logs to track down the corrupted/orphaned transaction and fix it.


Michael,
I have been using Microsoft Debug Tools and dumpchk is there another application you would recommend?


AJZ