{
	"id": "56c7c754-a5bb-4eed-bc70-80d73927e05d",
	"created_at": "2026-04-06T03:36:56.800012Z",
	"updated_at": "2026-04-10T03:21:59.622276Z",
	"deleted_at": null,
	"sha1_hash": "f1745cbef63e98d01e79163da43be23fbd7481e6",
	"title": "GitHub - scottlundgren/w32time",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 40024,
	"plain_text": "GitHub - scottlundgren/w32time\r\nBy scottlundgren\r\nArchived: 2026-04-06 03:27:02 UTC\r\ngametime\r\nWindows provides a facility for third parties to build custom time providers. These time providers are interesting\r\nin that they can be used as a Windows \"Autorun\" capability.\r\nMicrosoft lightly documents Win32 time providers. See https://msdn.microsoft.com/en-us/library/windows/desktop/ms725475(v=vs.85).aspx. The important points are that time providers are\r\nimplemented as DLLs that match the architecure (x86, x64) of Windows. Time providers are supported from\r\nWindows 2000 through Windows 10. Registering a time provider is as simple as one registry key and three values.\r\nMicrosoft's own NTP client is implemented as a Win32 time provider. VMWare's VMWare Tools includes a time\r\nprovider implemenation as well.\r\nTime providers are an interesting Autorun mechanism for three reasons:\r\n(1) Time Providers are not well-known or well-documented\r\n(2) The implementation of time providers allow for installing any number of time providers, so a custom time\r\nprovider can be installed easily alongside existing time providers with no loss of functionality and no need to\r\nproxy through to the original.\r\n(3) Time providers can be enabled or disabled with a single registry value\r\nFrom an autorun perspective, a few important points:\r\n(1) There is no escalation of privilege here; one must be an administrator to set up a time provider\r\n(2) The time provider runs in the security context of Local Service\r\n(3) The time provider config in the Windows registry must reference an on-disk file (or, at least, something\r\naddressable via an installed filesystem)\r\nConfiguring a time provider\r\nMust create a key of an arbitrary name (example code uses \"gametime\") in the registry at:\r\nHKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services\\W32Time\\TimeProviders\r\nUnder the new key, three values must be created:\r\nhttps://github.com/scottlundgren/w32time\r\nPage 1 of 2\n\nREG_SZ DllName (Name of the time provider DLL)\r\nREG_DWORD Enabled (1 or 0)\r\nREG_DWORD InputProvider (1 or 0)\r\nRegistering \u0026 Deregistering\r\nThe gametime DLL allows for registraton and deregistration using rundll32.exe. Just use:\r\nrundll32.exe gametime.dll,Register\r\nrundll32.exe gametime.dll,Deregister\r\nThis saves the hassle of having a standalone installer script.\r\nSource: https://github.com/scottlundgren/w32time\r\nhttps://github.com/scottlundgren/w32time\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://github.com/scottlundgren/w32time"
	],
	"report_names": [
		"w32time"
	],
	"threat_actors": [],
	"ts_created_at": 1775446616,
	"ts_updated_at": 1775791319,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/f1745cbef63e98d01e79163da43be23fbd7481e6.pdf",
		"text": "https://archive.orkl.eu/f1745cbef63e98d01e79163da43be23fbd7481e6.txt",
		"img": "https://archive.orkl.eu/f1745cbef63e98d01e79163da43be23fbd7481e6.jpg"
	}
}