Windows FILETIME

Windows FILETIME is a timestamp format associated with Microsoft Windows, and with NTFS. It appears in some file formats, for example Microsoft Compound File.

It is a 64-bit integer representing the number of 100-nanosecond intervals since the beginning of the year 1601, UTC (ignoring leap seconds). Evidence suggests that the high bit is reserved, and the other 63 bits represent an unsigned integer. This means it can represent dates from about the years 1601 to 30828.

Because the traditional Windows API did not use 64-bit integers, it is often represented as a structure (named "FILETIME", of course) containing two 32-bit integers.

Despite its name, it is often used for things other than timestamps of files.

Links

 * Windows Dev Center: File Times
 * Windows Dev Center: FILETIME structure
 * Forensic Focus: Interpretation of NTFS Timestamps