What time zone does windows event logs show
Andrew Mclaughlin 
I have a doubt on the time zone shown in the windows event logs.
I had read that if I export the windows event logs from another machine and open it in my machine which has a different time zone, the timings of the events will be converted to my time zone.
The scenario is I am debugging an issue which occurred in a VM set in JST timezone. I could see an event in the windows logs logged like this when I opened the file in my local machine which is in IST time zone--
The process C:\Program Files\Altek\Agent\bin\altekbin.exe (VERY1) has initiated the shutdown of computer VERY1 on behalf of user NT AUTHORITY\SYSTEM for the following reason: No title for this reason could be found Reason Code: 0x3000c
Logged: 23-01-2020 18:20:13
Since the timing is shown as 18:20:13 in my machine which is in IST, I am thinking that the actual time in JST when it happened was in 21.50 JST. Is my understanding correct? This timestamp conversion has been bit confusing to me so would appreciate if anyone can clear my doubts?
2 Answers
Events are stored in UTC time but shown in your local time.
The OS always works with UTC timestamps, but Event Viewer (like other programs) converts them to your local timezone for display purposes. It doesn't matter if the .evtx file was generated locally or if it was copied from a system with another timezone; it'll still use UTC as base and the Eventvwr will still adjust to your local time.
You can find a timestamp with timezone indicator in the "Details" view:
<Event xmlns=""> <System> <TimeCreated SystemTime="2020-03-10T07:18:23.000000000Z" /> ... </System>
</Event>- Extract the SYSTEM hive (Windows\System32\config) with FTKImager
- Use Registry Ripper to generate a text report of it
- In Notepad++ use Ctrl+F to search for the keyword 'timezone' (no quotes)
Sorry, just noticed this doesnt help you...or maybe it will.
