none
Alternative to SYSTEM_TIME_INFORMATION::liKeBootTime?

    Question

  • For quite a while I've determined system uptime with NtQuerySystemInformation(SystemTimeInformation,...).  I have read that that function does not exist in 64-bit Windows.  The docs warn of this and suggest alternatives.  But I could find no alternative for getting the boot time.  Is there one (other than WMI)?  Thanks.

     - Vince

    Saturday, July 12, 2014 2:16 AM

Answers

  • I know quite a few ways of estimating uptime.  ... extrapolate using the performance counter, or the tick counter, or even __rdtsc, ... check the timestamp of pagefile.sys or the timestamp on many registry keys, ...  There's also NetStatisticsGet (STAT_WORKSTATION_0::StatisticsStartTime) but I suppose the stat counters could be restarted.   All of these give estimates that are within ~30 seconds of each other.

    But the only ones I know that actually give something called "boot time" are NtQuerySystemInformation and WMI.  Those two agree to the second while, here, extrapolation using the performance counter disagrees by 35 seconds (after 15 days).

    Any method above (except WMI) can be done in a few of lines of code.  If you don't have a WMI client ready to go, getting it with WMI takes more code and is slower (and no doubt results in an instance of wmiprvse.exe which will hang around for 90 seconds after it has served its purpose).

    I'm still wondering if there's a replacement for the NtQuerySystemInformation method.

    Saturday, July 12, 2014 5:03 PM

All replies

  • See this for the WMI method.

    The system uptime is a performance counter ( object=system, counter="System Up Time"), so it can be obtained using performance counter helper query.

    SystemTimeInformation indeed is not a documented value for NtQuerySystemInformation.

    -- pa

    Saturday, July 12, 2014 11:55 AM
  • I know quite a few ways of estimating uptime.  ... extrapolate using the performance counter, or the tick counter, or even __rdtsc, ... check the timestamp of pagefile.sys or the timestamp on many registry keys, ...  There's also NetStatisticsGet (STAT_WORKSTATION_0::StatisticsStartTime) but I suppose the stat counters could be restarted.   All of these give estimates that are within ~30 seconds of each other.

    But the only ones I know that actually give something called "boot time" are NtQuerySystemInformation and WMI.  Those two agree to the second while, here, extrapolation using the performance counter disagrees by 35 seconds (after 15 days).

    Any method above (except WMI) can be done in a few of lines of code.  If you don't have a WMI client ready to go, getting it with WMI takes more code and is slower (and no doubt results in an instance of wmiprvse.exe which will hang around for 90 seconds after it has served its purpose).

    I'm still wondering if there's a replacement for the NtQuerySystemInformation method.

    Saturday, July 12, 2014 5:03 PM
  • There is an even simpler way: read the system event log and find the most recent startup record. This is exact - no extrapolations, interpolations, snake oil.

    Testing the WMI way is easy, run:

    wmic os get lastbootuptime

    -- p




    • Edited by Pavel A Saturday, July 12, 2014 5:46 PM
    Saturday, July 12, 2014 5:37 PM
  • Yes, but reading the event log is not quite as easy as calling NtQuerySystemInformation.  I haven't coded a search of the event log but I'll bet even WMI is easier.

    I found some old code of mine and was reminded why I found WMI unacceptable ...

    because pLocator->ConnectServer (\\.\root\CIMV2) takes nearly 1/2 second.  Should it take that long?


    • Edited by vesf Saturday, July 12, 2014 7:12 PM
    Saturday, July 12, 2014 7:11 PM
  • Yes unfortunately WMI is heavy indeed, as you wrote, it spawns some server process, etc.

    The performance counter is maybe the fastest of mentioned ways.

    Or, just keep using NtQuerySystemInformation(SystemTimeInformation) and hope for the best...

    -- pa

    Saturday, July 12, 2014 8:50 PM
  • Yes unfortunately WMI is heavy indeed, as you wrote, it spawns some server process, etc.

    The performance counter is maybe the fastest of mentioned ways.

    Or, just keep using NtQuerySystemInformation(SystemTimeInformation) and hope for the best...

    -- pa

    Querying the timestamp on a registry key must be pretty fast.  And the timestamp on "HKLM\..\HAL" agrees pretty well with NTQSI() and WMI (which I take to be "official").  Here are 7 versions the number of seconds of uptime.

    ntqsi   1469010
    halkey  1469010
    wmi     1469010
    perf    1468973
    ticks   1468992
    rdtsc   1468983
    pagef   1469000

    Sunday, July 13, 2014 6:49 PM