Geoff Chappell - Software Analyst
The SYSTEM_TIMEOFDAY_INFORMATION structure (formally _SYSTEM_TIMEOFDAY_INFORMATION ) is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemTmeOfDayInformation (0x03).
The SYSTEM_TIMEOFDAY_INFORMATION structure is defined in WINTERNL.H from the Software Development Kit (SDK). The definition there has the whole structure as one array of bytes, named Reserved1. Documentation of NtQuerySystemInformation describes the structure as “opaque” and suggests that whatever is produced in it for the SystemTimeOfDayInformation case “can be used to generate an unpredictable seed for a random number generator.”
This note is instead concerned with what might reasonably be called the structure’s true definition. Since at least WIndows 8—and, for specificity, certainly in the original Windows 10—this definition that Microsoft itself works with is in an unpublished header named ntexapi.h.
Microsoft does publish the practical equivalent of a C-language definition as type information in symbol files—not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for a handful of higher-level DLLs that might ordinarily be thought very distant from any involvement with the structure. Perhaps only by oversight, but starting as long ago as Windows 8, Microsoft’s downloadable packages of public symbols have included a smattering of private symbol files and these continue to be available through the public symbol server. Precisely which DLLs have the type information varies between versions. COMBASE.DLL is among the more reliable nowadays. Disclosure in symbol files for URLMON.DLL stopped for the 1803 release of Windows 10 but is specially notable because of this DLL’s origins in Internet Explorer and thence for the strong suggestion that Microsoft’s programmers of Internet Explorer had access to more details of low-level Windows programming than Microsoft publishes for wider use (including by the programmers of competing web browsers).
Type information for the structure has also seeped out at the other end of the Windows timeline, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.
The SYSTEM_TIMEOFDAY_INFORMATION is the same in both 32-bit and 64-bit Windows. The structure exists in two sizes:
The structure has changed only by extension. The function originally requires an output buffer that exactly fits the old structure. Starting from the structure’s expansion, the function supports both the old and new structure in a notably liberal way: it allows not just the old size and the new, but any size that is not larger than the new.
| Offset | Definition | Versions |
|---|---|---|
| 0x00 |
LARGE_INTEGER BootTime; |
3.10 and higher |
| 0x08 |
LARGE_INTEGER CurrentTime; |
3.10 and higher |
| 0x10 |
LARGE_INTEGER TimeZoneBias; |
3.10 and higher |
| 0x18 |
ULONG TimeZoneId; |
3.10 and higher |
| 0x1C |
ULONG Reserved; |
3.10 and higher |
| 0x20 |
ULONGLONG BootTimeBias; |
5.0 and higher |
| 0x28 |
ULONGLONG SleepTimeBias; |
5.0 and higher |
Not until Windows NT 4.0 SP4 did the kernel ensure that its preparation of this structure on the stack (to copy to the caller’s output buffer) cleared the Reserved space.
What is here named the SleepTimeBias is elsewhere known as the InterruptTimeBias, as for instance in the KUSER_SHARED_DATA which is where the function loads this member from in version 6.0 and higher.