| Current | v9 | v8 | v7 | v6 | v5 | v4 | v3 | v2 | v1 | All | About |
InterruptTime
This attribute is used to store a 100 nanosecond timer starting at system boot that presumably counts the amount of time spent processing interrupts. The attribute itself is stored as a _KSYSTEM_TIME structure which is defined as:
0:000> dt _KSYSTEM_TIME +0x000 LowPart : Uint4B +0x004 High1Time : Int4B +0x008 High2Time : Int4B
Depending on the hardware a machine is running, the InterruptTime's period may be exactly equal to 100 nanoseconds. However, testing has seemed to confirm that this is not always the case. Given this, both the update period and the scale of the InterruptTime attribute should be seen as limiting factors. This fact makes it less useful because it has the same limitations as the TickCountLow attribute. Specifically, without knowing when the system booted and when the counter started, or how much time has been spent processing interrupts, it is not possible to reliably predict when certain bytes will be at certain offsets. Furthermore, the machine would need to have been booted for a significant amount of time in order for some of the useful instructions to be feasibly found within the bytes that compose the timer.
This attribute is located at 0x7ffe0008 on all versions of Windows NT+.