.NET Core app. I am detecting when a new process is created using WMI, with something like
WqlEventQuery wqlEventQuery = new WqlEventQuery(string.Format("SELECT * FROM Win32_ProcessStartTrace"));
This seems to be working ok, and it detects if I open any app. But the value of property TIME_CREATED is not showing what I expected...
from Microsoft:
"Unique value that indicates the time at which the event was generated. This is a 64-bit value that represents the number of 100-nanosecond intervals after January 1, 1601. The information is in the Coordinated Universal Times (UTC) format. "
But, if I convert this timestamp to DateTime, it gives me a bizarre value... For example, it detects a new process started, and the property TIME_CREATED shows a value of 133598139347539533. But converting this to a datetime, it should give the today's date, but it is instead 24/07/5834...
Also, I have found that DateTime.Now.ToFileTimeUtc() returns the current timestamp for that same epoch (1601), so I have tried it and yes, it gives the expected result (something like 133598169181757776), so I know my calculations are ok...
Any ideas?
I am not sure how you calculated the date, but my quick test shows the correct date:
new DateTime(1601, 1, 1) + new TimeSpan(133598139347539533)
or
new DateTime(1601, 1, 1).AddTicks(133598139347539533)
Both result in [10/05/2024 11:25:34]
Testable online fiddle: https://dotnetfiddle.net/xuDNXb