Add-In Load Time Registry Binary Value Conversion to Decimal

I have ruled out that those are actually some sort of strange binary mapping of a standard date and time - as well as several non-standard formats I looked at.

Those strings have 24 bytes = 192 bits. They appear to be an array of numbers presented in what is called "little-endian" order. But the problem is that 24 bytes is three times too many bytes for it to be a binary/hex representation of a double. It isn't any of the IEEE formats that I can track down, and doesn't seem to be a UTC representation. It APPEARS to be a little-endian declaration of the contents of 6 x LONG. But when I try to translate the numbers, they are not in a time array because the numbers in the middle are too long for the fields they would fall in.

This might still be some sort of timer info, but that number of bits is enough to represent the age of the universe in ticks of the quantum background frequency clock - and have bits left over. By a LOT. It is something like 10^55 years if the ticks represent seconds. Since the universe is supposedly only 1.3x10^10 years old, that ain't it. (And besides which, where did they get the reference date?) ;)

Seriously, what I see here is typically obscure like many other Microsoft registry keys and you would have to have access to the internals of the program that stores it to know what it means. I'm not admitting total defeat but my first three or four tries are off into left field at the moment. I'll have to defer this because it is going nowhere unless I get some inspiration from above. Or below. But let's just say I'm not holding my breath while waiting.
 
check out this forum, might lead you to something:
http://www.tek-tips.com/viewthread.cfm?qid=937068

something like this i think:
Code: 
Private Sub readBinaryReg()
'http://www.tek-tips.com/viewthread.cfm?qid=937068
Const HKCU = &H80000001 'HKEY_CURRENT_USER
Dim oReg, arrValue
Dim i As Long
Dim strKeyPath As String, strValueName As String
Dim strInfo As String, strComputer As String
strComputer = "."
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
        strComputer & "\root\default:StdRegProv")

strKeyPath = "Software\Microsoft\Office\16.0\Outlook"
strValueName = "AddInLoadTimes"
oReg.GetBinaryValue HKCU, strKeyPath, strValueName, arrValue
strInfo = ""
If Not IsNull(arrValue) Then
For i = 0 To UBound(arrValue)
    If arrValue(i) <> 0 Then strInfo = strInfo & Chr(arrValue(i))
Next
Debug.Print strInfo    'strInfo  is the info you need
End If
End Sub
 
Last edited:
Some potentially useful ideas from arnelgp. Thank you

First of all the binary output code from TekTips.
This needs modifying slightly
This gets a value from one of the Outlook addins on my computer:

Code: 
Private Sub readBinaryReg()
'http://www.tek-tips.com/viewthread.cfm?qid=937068
Const HKCU = &H80000001 'HKEY_CURRENT_USER
Dim oReg, arrValue
Dim i As Long
Dim strKeyPath As String, strValueName As String
Dim strInfo As String, strComputer As String
strComputer = "."
Set oReg = GetObject("winmgmts:{impersonationLevel=impersonate}!\\" & _
        strComputer & "\root\default:StdRegProv")

strKeyPath = "Software\Microsoft\Office\16.0\Outlook\AddinLoadTimes" 'full key path
strValueName = "SnagItOfficeAddin.Connect" 'key name
oReg.GetBinaryValue HKCU, strKeyPath, strValueName, arrValue
strInfo = ""
If Not IsNull(arrValue) Then
For i = 0 To UBound(arrValue)
    If arrValue(i) <> 0 Then strInfo = strInfo & Chr(arrValue(i))
Next
Debug.Print strInfo    'strInfo  is the info you need - key value
End If
End Sub

This is the key value: 05,00,00,00,2f,00,00,00,1d,03,00,00,2f,00,00,00,ac,00,00,00,6d,00,00,00

However this is the output: //¬m

That didn't paste successfully - here's a screenshot
attachment.php

So its either encrypted before converting to binary (and we don't know the encryption key)
OR its ASCII codes which need converting back to give numbers (not tested)

Here's a list of all ASCII keycodes https://www.asciitable.com/

I had hopes for the hex converter tools in arnels other postand tried two of them:
a) Raymondcc Reg DeHexer - gave no output for several registry hex values tested
b) OTConvertIt gave results but similar to the above on separate lines for each character - see attached screenshot

So unfortunately unless I'm missing something (very likely!), I don't think that this gets us any further

If anyone wants to test some more registry values, see the text file attachment I uploaded in post 18
 

Attachments

  • Capture.PNG
    Capture.PNG
    27.8 KB · Views: 167
  • Capture1.PNG
    Capture1.PNG
    673 bytes · Views: 1,069
Last edited:
ridders said:
I tested my earlier theory but it seems to be wrong
Current Unix time in seconds = 1522710229

What I did notice is that in each group each pair with a hex value is followed by up to 3 zero pairs which I think are padding and could be discarded
e.g. 05 00 00 00 10 00 00 00 10 00 00 00 5e 00 00 00 1f 00 00 00 2f 00 00 00

=> 05 10 10 5e 1f 2f
=> 0510105e1f2f as HEX
=> 5566552219439 as DEC
But even if that's the case, as yet I've no idea what it means
Hopefully Doc can use the figures as part of his test

NOTE:
As an aside, I now understand the numerical part of the image attachment done a few minutes ago (1522709359) - the Unix time when uploaded
Click to expand...

Initially, I thought I noticed the quads as well (initial single pair followed by 3 sets of 00).
However, I did find (initially) at least one key value with at least one non-00 second pair.

This morning, pursuant to your interest along this track, I went into the data (I have 985,635 records) and parsed out the different pair values and counts of different values per pair.
It turns out, only pairs 2, 3, and 4 are always 00.
All the rest have at least 5 total different values.
Interestingly, the key pairs that initially looked like the 1 pair in the quad sets each have 256 different values and these pairs do have more than the rest, but in fact, each of the subsequent 3 pairs within each of the quads do have some values other than 00.

I'll upload the workbook if interested.
 

Attachments

Last edited:
The_Doc_Man said:
I have ruled out that those are actually some sort of strange binary mapping of a standard date and time - as well as several non-standard formats I looked at.

Those strings have 24 bytes = 192 bits. They appear to be an array of numbers presented in what is called "little-endian" order. But the problem is that 24 bytes is three times too many bytes for it to be a binary/hex representation of a double. It isn't any of the IEEE formats that I can track down, and doesn't seem to be a UTC representation. It APPEARS to be a little-endian declaration of the contents of 6 x LONG. But when I try to translate the numbers, they are not in a time array because the numbers in the middle are too long for the fields they would fall in.

This might still be some sort of timer info, but that number of bits is enough to represent the age of the universe in ticks of the quantum background frequency clock - and have bits left over. By a LOT. It is something like 10^55 years if the ticks represent seconds. Since the universe is supposedly only 1.3x10^10 years old, that ain't it. (And besides which, where did they get the reference date?) ;)

Seriously, what I see here is typically obscure like many other Microsoft registry keys and you would have to have access to the internals of the program that stores it to know what it means. I'm not admitting total defeat but my first three or four tries are off into left field at the moment. I'll have to defer this because it is going nowhere unless I get some inspiration from above. Or below. But let's just say I'm not holding my breath while waiting.
Click to expand...

ROFLAMO!
That was my first impression of my first calculated result: Unless this add-in has been loading since the Big Bang, it can't possibly be correct!

However, as I look at the parsing data from all the records, it seems possible, if not highly likely, the 1st pair is some sort of qualifier, perhaps indicative of different classes of add-ins, and the next 3 pairs are always 00 so perhaps unused.
That reduces the pool of pairs to 20 (from 24 initial).
That aught to maybe get closer to perhaps just the age of the Milky Way, or with a little luck just to the age of our sun.
:D
 
Unfortunately I think I've reached a dead end with this.
As I can't even make sense of my own data, there's no point looking at yours as well. Sorry but for now at least I'm out of ideas.

Two questions that should perhaps have been asked at the start
1. What is the purpose of this exercise
2. Have you tried googling it or asking on an outlook forum?
 
arnelgp said:
You csn searchfunction in this firum that read values from the registry. I think that it will give you the result withou the need of conversion provided you supply the correct datatype
Click to expand...

Thanks!
I tried searching twice and didn't find anything that seemed applicable to this.
Do you have any specific links to a thread?
 
ridders said:
1. What is the purpose of this exercise
Click to expand...
I second this question!
ridders said:
2. Have you tried googling it or asking on an outlook forum?
Click to expand...
No dice!

I think this whole endeavor is rather pointless. - You got me curious anyway, so let me put on my guessing hat...

These are 6 different DWORD values.
The first one is the number of recorded startups of the Add-In.
The next 5 are the last 5 recorded startup times in milliseconds. With the rightmost non-zero being the most recent.

Now, what are you going to do with that information?
 
ridders said:
What I did notice is that in each group each pair with a hex value is followed by up to 3 zero pairs which I think are padding and could be discarded
e.g. 05 00 00 00 10 00 00 00 10 00 00 00 5e 00 00 00 1f 00 00 00 2f 00 00 00
Click to expand...
Not that it will help anything, but I don't think it is padding but 4 byte numbers, where the most significant byte is the byte far right, such as memory addresses are specified in machine language, (as I remember it).
ex. 05 FF 00 00 isn't decimal 1535, but decimal 65285.
 
im ready to jump, i have my chute on.
so well just ask mr.outlook, because he write the registry
and only he can unlock its mystery and read-it.

as ive said in my early post, you must have knowledge of the data structure of this hex dump.
 
ridders said:
Unfortunately I think I've reached a dead end with this.
As I can't even make sense of my own data, there's no point looking at yours as well. Sorry but for now at least I'm out of ideas.
Click to expand...

A HUGE "E" FOR EFFORT AND I SUPER APPRECAITE YOUR TIME AND INTEREST!

ridders said:
1. What is the purpose of this exercise
Click to expand...

I'm in an extremely large enterprise. I can't say where but as the Office SME I track >345,000 Office clients globally.
We're migrating to Office 2016 from Office 2010 and some very vocal groups are complaining about Outlook 2016 slowness (really All Office 2016 apps but these particular groups use Outlook a lot).
During a recent tech call, someone suggested perhaps add-ins were loading slowly.
My response, while technically correct, did noting to satiate the noisy Directors involved: "Well, certainly that would be a great place to look during diagnostics with support but Messaging Support has tracked zero calls for Outlook slowness to diagnose."
Certainly, they'd rather have the problem fixed with zero time investment from them.
So, we have some internal tools we can get registry data from and I made a request for the Outlook Add-in load time keys.
Interestingly, there is another IT group developing an alternative solution: Disabling all their add-ins period. I'm pretty sure that is just a threat though, to get them on the phone with support so problematic add-ins (if any) can be properly identified and remediated.
As an SME, all I can usually do is advise (when they ask) and watch them duke it out.
I already know of, and have suggested and pleaded to use the free Microsoft tool (Telemetry) that would answer all their questions but for the last 5 years they're procrastinated because of the infrastructure costs.

ridders said:
2. Have you tried googling it or asking on an outlook forum?
Click to expand...
I have done extensive searches looking for the solution on both Bing and Google but to no avail.
I keep getting search results for my old favorite development site, HERE.
So, finally I took the clue and opened this thread (after of course doing my due diligence in the site's search engine).

I can understand if these answers reduce the importance factor for anyone since this is what amounts to free support for a major corporation, and I SERIOUSLY appreciate all the interest thus far.
If there is any reason to carry on, I'm hoping it is from several "Access Guys" to another.
:cool:
 
Bilbo_Baggins_Esq said:
I can understand if these answers reduce the importance factor for anyone since this is what amounts to free support for a major corporation, and I SERIOUSLY appreciate all the interest thus far.
Click to expand...

The folks here really don't care where you work, and you're far from the only person on this forum who works for a major corporation. Don't sweat it.
 
sonic8 said:
I second this question!

No dice!

I think this whole endeavor is rather pointless. - You got me curious anyway, so let me put on my guessing hat...

These are 6 different DWORD values.
The first one is the number of recorded startups of the Add-In.
The next 5 are the last 5 recorded startup times in milliseconds. With the rightmost non-zero being the most recent.

Now, what are you going to do with that information?
Click to expand...

I appreciate your interest here, but would you mind elaborating on your guess?
Incidentally, the keys are all "REG_BINARY"
 
Probably my final contribution

sonic8 said:
I think this whole endeavor is rather pointless. - You got me curious anyway, so let me put on my guessing hat...

These are 6 different DWORD values.
The first one is the number of recorded startups of the Add-In.
The next 5 are the last 5 recorded startup times in milliseconds. With the rightmost non-zero being the most recent.

Now, what are you going to do with that information?
Click to expand...

One of my Google searches stated that Outlook does indeed compare the latest loading time with the 5 most recent values. From this it determines when to warn that an addin is slow & suggest disabling it

So I think sonic has the answer
So if you want to proceed, here's some data which may help

I opened Outlook 3 times (Run1-> Run3) and saved the registry data each time - attached

Looking at one of the keys a pattern becomes clear:
a) Disabled addins e.g. Teamviewer / SnagIt don't change
b) For enabled addins e.g. OneNote.OutlookAddin the first 8 byte section stays the same e.g. 05000000. The remaining five 8 byte parts get shifted one section to the right each time with the oldest value falling off at the end:
For example

Run1: 05,00,00,00,57,01,00,00,00,00,00,00,00,00,00,00,10,00,00,00,00,00,00,00
Run2: 05,00,00,00,1f,00,00,00,57,01,00,00,00,00,00,00,00,00,00,00,10,00,00,00
Run3: 05,00,00,00,00,00,00,00,1f,00,00,00,57,01,00,00,00,00,00,00,00,00,00,00

So focus on values like 57 01 00 00 or 1f 00 00 00.
If still interested in solving this, convert to decimal and try to work out what that might mean. Good luck

Out of interest where can the Telemetry tool be downloaded from?
 

Attachments

Last edited:
ridders said:
Probably my final contribution



One of my Google searches stated that Outlook does indeed compare the latest loading time with the 5 most recent values. From this it determines when to warn that an addin is slow & suggest disabling it

So I think sonic has the answer
So if you want to proceed, here's some data which may help

I opened Outlook 3 times (Run1-> Run3) and saved the registry data each time - attached

Looking at one of the keys a pattern becomes clear:
a) Disabled addins e.g. Teamviewer / SnagIt don't change
b) For enabled addins e.g. OneNote.OutlookAddin the first 8 byte section stays the same e.g. 05000000. The remaining 8 parts get shifted one section to the right each time with the oldest value falling off at the end:
For example

Run1: 05,00,00,00,57,01,00,00,00,00,00,00,00,00,00,00,10,00,00,00,00,00,00,00
Run2: 05,00,00,00,1f,00,00,00,57,01,00,00,00,00,00,00,00,00,00,00,10,00,00,00
Run3: 05,00,00,00,00,00,00,00,1f,00,00,00,57,01,00,00,00,00,00,00,00,00,00,00

So focus on 57 01 00 00 or 1f 00 00 00.
If still interested, convert to decimal and try to work out what that might mean. Good luck

Out of interest where can the Telemetry tool be downloaded from?
Click to expand...

COOL!
So, I need a function then that would calculate the load times based on quads 2 through 6.
Either concatenating them in one string or with a second parameter to designate the quad to be calculated.
If anybody has a sample function to work on even a single quad, I could easily take it from there.

Telemetry is a free component of (already built-in) Enterprise Office 2013 and 2016. It only comes with the Enterprise versions but Telemetry agents can be extracted and installed to Enterprise Office clients back to Office 2003.
However, Office 2013 and Office 2016 Telemetry agents provide more detailed information than the agents for 2003 through 2010.
 
You must log in or register to reply here.

Similar threads

K
Solved Report Group by Day with a Start time of 4:00:00am, End time 3:59:59AM the next Day
Replies
5
Views
482
kjbrack
K
isladogs
Access Europe meeting on Wed 5 June - Extended File Properties / Manage Import/Export Data Tasks
Replies
2
Views
369
isladogs
isladogs
isladogs
Access Europe User Group - Wed 6 Nov: An Image/Photo Cataloguer (Chris Arnold)
Replies
0
Views
118
isladogs
isladogs
isladogs
Access Europe - Using VBA to create a class based on a table - Wed 1 May
Replies
7
Views
629
Josef P.
J
A
Solved How to change date portion at beginning
Replies
13
Views
1,061
Ashfaque
A

Users who are viewing this thread

Total: 1 (members: 0, guests: 1)
Back
Top Bottom