Quantcast
Channel: MFCMAPI
People Here Also Viewed:
Viewing all articles
Browse latest Browse all 1090

Created Unassigned: FILETIME is not parsed correctly in PR_CONVERSATION_INDEX [17485]

0
0
The dissection of the header of PR_CONVERSATION_INDEX (22 bytes) is as follows:
* One reserved byte. Its value is 1.
* Five bytes for the current system time converted to the FILETIME structure format.
* Sixteen bytes holding a GUID, or globally unique identifier.

The correct parsing for FILETIME is carried out on 8-bytes.

The current way FILETIME is converted to a time is that it takes the 5-bytes, with pre-padding of 1 byte (00), and post-padding of 2 bytes (0000). The full 8-bytes are then converted to a readable time (the converted value represents 100-nanosecond units since start of 1/1/1601).

Example:
PR_CONVERSATION_INDEX (5-Bytes of Header the represent FILETIME only): D0BC97E167
> Current FILETIME: (Low = 0xE1670000, High = 0x_00_D0BC97) = 11:52:46.352 AM 09-Mar-1787

The correct way of evaluating FILETIME is to not pre-pad the FILETIME (5-bytes) but rather take the first 6-bytes, and only add post-padding of 2-bytes (0000)

As such, the FILETIME should be evaluated as:
> 0x_01_D0BC97:E1670000 - this would result in the correct timestamp: 11:42:50 AM 12-Jul-2015
which is the correct timestamp for the email

This would eventually need to be corrected in upcoming versions, to correctly reflect the FILETIME included in the Conversation Index

Viewing all articles
Browse latest Browse all 1090

Latest Images

Trending Articles





Latest Images