Home/ Questions/Q 8711287
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-13T04:50:22+00:00

I am modifying an existing Windows Kernel device driver and in there I need

  • 0

I am modifying an existing Windows Kernel device driver and in there I need to capture a timestamp. I was intending to use time.h library and call the clock() function to get that, however under windows visual studio, the linking is failing. So I took it as a means that I need to work within the driver’s libraries.

I found the following function, KeInitializeTimer, and KeSetTimerEx but these are used if I plan to set up a timer and wake up on it. What I really need is something that will give me a timestamp.

Any ideas?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    I am updating my question with an answer for others to benefit from my findings.

    To get a timestamp, you can use KeQueryTickCount(). This routine will give you the count of interval interrupts that occurred since the system was booted. However, if you need to find out since the last timestamp you captured, an X amount of time has passed you need to also query your system to determine the time it takes for each interval clock interrupt.

    ULONG KeQueryTimeIncrement() give you the number of 100-nanosecond units.

    Example:

    PLARGE_INTEGER timeStamp;

KeQueryTickCount(&timeStamp);

    Please note that PLARGE_INTEGER is defined as such:

    #if defined(MIDL_PASS)
typedef struct _LARGE_INTEGER {
#else // MIDL_PASS
typedef union _LARGE_INTEGER {
    struct {
        ULONG LowPart;
        LONG HighPart;
    } DUMMYSTRUCTNAME;
    struct {
        ULONG LowPart;
        LONG HighPart;
    } u;
#endif //MIDL_PASS
    LONGLONG QuadPart;
} LARGE_INTEGER;

    So lets say, you want to see if 30 seconds passed since you last took a timestamp, you can do the following:

    ULONG tickIncrement, ticks;
LARGE_INTEGER waitTillTimeStamp;
tickIncrement = KeQueryTimeIncrement();

    // 1sec is 1,000,000,000 nano sec, however, since KeQueryTimeIncrement is in
    // 100ns increments, divide that and your constant is 10,000,000

    ticks = ((30 * 10,000,000) / tickIncrement);
KeQueryTickCount(&waitTillTimeStamp);
waitTillTimeStamp.QuadPart += ticks;

<.....Some code and time passage....>
KeQueryTickCount(&currTimeStamp);


if (waitTillTimeStamp.QuadPart < currTimeStamp.QuadPart) {
    <...Do whatever...>
}

    Another example to help you understand this, what if you want to translate the timestamp you got into a time value such as milliseconds.

    LARGE_INTEGER mSec, currTimeStamp;
ULONG timeIncrement;

timeIncrement = KeQueryTimeIncrement();


KeQueryTickCount(&currTimeStamp);

// 1 millisecond is 1,000,000 nano seconds, but remember divide by 100 to account for 
// KeQueryTickCount granularity.
mSec.QuadPart = (currTimeStamp.QuadPart * timeIncrement) / 10000;

    Remember this example is for demonstration purposes, mSec is not the current time in milliseconds. Based on the APIs used above, it is merely the number of milliseconds that have elapsed since the system was started.

    You can also use GetTickCount(), but this returns a DWORD and thus will only be able to give you the number of milliseonds since the system was started for up to 49.7 days.

    • 0