SYSTEM_TIMEOFDAY_INFORMATION

The SYSTEM_TIMEOFDAY_INFORMATION structure is what a successful call to ZwQuerySystemInformation or NtQuerySystemInformation produces in its output buffer when given the information class SystemTmeOfDayInformation (0x03).

Documentation Status

The SYSTEM_TIMEOFDAY_INFORMATION structure is defined in WINTERNL.H from the Software Development Kit (SDK). The definition there has the whole structure as one array of bytes, named Reserved1. Documentation of NtQuerySystemInformation describes the structure as “opaque” and suggests that whatever is produced in it for the SystemTimeOfDayInformation case “can be used to generate an unpredictable seed for a random number generator.”

Microsoft does publish the practical equivalent of a C-language definition as type information in public symbol files, though not for the kernel, where the structure is prepared, nor even for low-level user-mode DLLs that interpret the structure, but for various higher-level user-mode DLLs such as URLMON.DLL and only then starting with version 6.2.

Two earlier disclosures of type information are known, though not in symbol files but in statically linked libraries: GDISRVL.LIB from the Device Driver Kit (DDK) for Windows NT 3.51; and SHELL32.LIB from the DDK for Windows NT 4.0.

Layout

The SYSTEM_TIMEOFDAY_INFORMATION is 0x30 bytes in both 32-bit and 64-bit Windows 10.

Offset Definition Versions
0x00
LARGE_INTEGER BootTime;
 
0x08
LARGE_INTEGER CurrentTime;
 
0x10
LARGE_INTEGER TimeZoneBias;
 
0x18
ULONG TimeZoneId;
 
0x1C
ULONG Reserved;
last member in 3.51;
last member in 4.0
0x20
ULONGLONG BootTimeBias;
 
0x28
ULONGLONG SleepTimeBias;
 

This is the structure for Windows 10. Earlier versions are known for which the structure is 0x20 bytes.