TimeZoneInformation Registry Key

The TimeZoneInformation registry key provides the current system time zone. This is useful for consolidating separate artifacts found on a system to align with one time zone, such as UTC.

Analysis Value

🖥️System Enumeration

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	✅	Server 2003	✅
Windows XP	✅

Artifact Location(s)

🔌 Offline System

• File: %SystemRoot%\System32\config\SYSTEM

• Key: SYSTEM\{CURRENT_CONTROL_SET}\Control\TimeZoneInformation

🔋 Live System

• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation

For more information on determining the correct CurrentControlSet, visit Select Registry Key

Artifact Parsers

• RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the TimeZoneInformation registry key, the value name TimeZoneKeyName will contain the current system time zone.

For examples of what this may look like, execute the command Get-TimeZone -ListAvailable in PowerShell and look at the Id key.

The Bias key contains the numer of minutes between UTC and the system's selected time zone, such that UTC = Local System Time + Bias.

Example

PS> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" -Name *

Bias                        : 360
DaylightBias                : 4294967236
DaylightName                : @tzres.dll,-161
DaylightStart               : {0, 0, 3, 0...}
StandardBias                : 0
StandardName                : @tzres.dll,-162
StandardStart               : {0, 0, 11, 0...}
TimeZoneKeyName             : Central Standard Time
DynamicDaylightTimeDisabled : 0
ActiveTimeBias              : 300

This example was produced on Windows 10, Version 10.0.19044 Build 19044