# TimeZoneInformation Registry Key

The `TimeZoneInformation` registry key provides the current system time zone. This is useful for consolidating separate artifacts found on a system to align with one time zone, such as UTC.

## Analysis Value

{% content-ref url="/pages/A9WSUHDPatjWctCckWyA" %}
[System Enumeration](/windows-forensics/artifacts-by-activity/system-enumeration.md)
{% endcontent-ref %}

## Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ✅       |
| Windows 10    | ✅       | Server 2016   | ✅       |
| Windows 8     | ✅       | Server 2012   | ✅       |
| Windows 7     | ✅       | Server 2008   | ✅       |
| Windows Vista | ✅       | Server 2003   | ✅       |
| Windows XP    | ✅       |               |         |

## Artifact Location(s)

{% tabs %}
{% tab title="🔌 Offline System" %}

* File: `%SystemRoot%\System32\config\SYSTEM`
* Key: `SYSTEM\{CURRENT_CONTROL_SET}\Control\TimeZoneInformation`
  {% endtab %}

{% tab title="🔋 Live System" %}

* `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation`
  {% endtab %}
  {% endtabs %}

{% hint style="info" %}
For more information on determining the correct `CurrentControlSet`, visit [Select Registry Key](/windows-forensics/artifacts-by-type/registry-artifacts/select.md)
{% endhint %}

## Artifact Parsers

* RegistryExplorer (Eric Zimmerman)

## Artifact Interpretation

Within the `TimeZoneInformation` registry key, the value name `TimeZoneKeyName` will contain the current system time zone.

For examples of what this may look like, execute the command `Get-TimeZone -ListAvailable` in PowerShell and look at the `Id` key.

The `Bias` key contains the numer of minutes between UTC and the system's selected time zone, such that `UTC = Local System Time + Bias`.

## Example

```
PS> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" -Name *

Bias                        : 360
DaylightBias                : 4294967236
DaylightName                : @tzres.dll,-161
DaylightStart               : {0, 0, 3, 0...}
StandardBias                : 0
StandardName                : @tzres.dll,-162
StandardStart               : {0, 0, 11, 0...}
TimeZoneKeyName             : Central Standard Time
DynamicDaylightTimeDisabled : 0
ActiveTimeBias              : 300
```

This example was produced on Windows 10, Version 10.0.19044 Build 19044


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.