11

I have observed that windows executable files show incorrect timestamps when I view them in PE studio. For example this Notepad.exe file shows a compiler timestamp of 0x86FCBD69 (Mon Oct 07 03:45:05 2041 )

To validate this today (3 May 2021),I converted a Python program file to EXE & checked the same in PE Studio. It also showed an incorrect compiler timestamp of 0x5FFEC122 (Wed Jan 13 15:15:06 2021 ) Python executable

Why are compiler timestamps incorrect ? To my understanding if the Python program was converted to exe today, it should show today's date under the compiler timestamp.

Improve this question
5
  • I'm thinking that's the date the compiler itself was built, not the executable you're looking at.
    – MetalMikester
    Commented May 3, 2021 at 12:04
  • @MetalMikester - The compiler is from the future? What’s more likely is the program is improperly converting the date.
    – Ramhound
    Commented May 3, 2021 at 12:26
  • @Ramhound LOL! I wasn't focusing on the year, just the name "compiler-stamp" which I seem to recall is the compiler build date, not the EXE build date. But I'm not 100% sure. The second one is Jan 2021, however.
    – MetalMikester
    Commented May 3, 2021 at 12:35
  • 1
    @MetalMikester - In either case it’s the wrong date, which indicates, the software is converting the value improperly. I also wouldn’t except either field to contain worth whole data based on their name
    – Ramhound
    Commented May 3, 2021 at 12:40
  • @Ramhound Skynet is planning to go operational in 2041? Interesting
    – Stian
    Commented May 4, 2021 at 8:40

1 Answer 1

Reset to default
22

They're deliberately set to a fixed value:

  • The Old New Thing: Why are the module timestamps in Windows 10 so nonsensical?

    One of the changes to the Windows engineering system begun in Windows 10 is the move toward reproducible builds. This means that if you start with the exact same source code, then you should finish with the exact same binary code.

    […]

    Timestamps are another source of non-determinism. Even if all the inputs are identical, the outputs will still be different because of the timestamps. [...] Setting the timestamp to be a hash of the resulting binary preserves reproducibility.

  • The Old New Thing: What does the executable timestamp really mean?

    The name timestamp is misleading. Its real purpose is to act as a signature so that the operating system can determine whether a DLL against which one set of values was precalculated matches the DLL physically on the system. A better name for it would have been "UniqueId".

Note: There are two meanings to the term 'signature' here. Raymond calls the field a "signature" only in the sense of it being something unique that allows distinguishing this binary from other binaries (in the same way that the 'MZ' bytes are a signature for all .exe files). It is however not a cryptographic digital signature and does nothing to ensure the file's integrity or authenticity.

Improve this answer
5
  • Well that's quite informative. I believe these signatures are used to ensure the integrity DLL files so that no malicious adversary can modify & recompile them.
    – Monk
    Commented May 3, 2021 at 15:25
  • 2
    They are not signatures. You're correct that signatures are used to ensure integrity and prevent tampering, and Microsoft indeed digitally sign all their executables -- but timestamps are not the same thing as signatures. The timestamp is a 32-bit number; even if it were used to prevent tampering, it takes literally minutes to simply run through every possible 32-bit number until you find one that "passes". Actual signatures are hundreds of bits (or thousands because Microsoft uses RSA).
    – grawity_u1686
    Commented May 3, 2021 at 15:43
  • 4
    @supercat - Microsoft made this change awhile ago, it’s not like they recently made the change, it’s been more than 4 years.
    – Ramhound
    Commented May 3, 2021 at 22:20
  • @Ramhound 4 years lol, those articles are from 2010-11
    – Hong Ooi
    Commented May 4, 2021 at 9:58
  • @HongOoi - Only one is from 2011
    – Ramhound
    Commented May 4, 2021 at 12:03

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .