Quote:
Originally Posted by binarylaw
But the software would still need to record/log the reference timestamp somewhere, either disk or registry, right?
|
No. The directory/file creation time is the timestamp since these values don't typically change unless the file or directory is deleted and/or recreated. This information is stored on the disk and is retrieved by the system with this call. It could simply compare that to the current system time to see if it is within the trial days. Though this is a probably a little impractical, I have seen this method used in a program in the past. GetSystemTime or GetLocalTime could be some useful APIs for you to track this type of check.
Please note that I haven't actually analyzed your target application. This is all speculative and is one trick which I have encountered that is hidden from ProcMon.