Note:I translated Japanese into English using Google Translate.
Thank you, Google.
Summary:
- I confirmed that the latest Last Access Time is written to disk by accessing the file after 1 hour has elapsed.
- After one hour elapsed, when shutting down without accessing the file, I did not check whether Last Access Time on memory is written to disk.
<2018/12/16 Add>
The latest Last Access Time was written to disk by shutdown.
In the update of the Last Access Time, the MFT record time stamp was not updated. - This verification had to repeat the same thing over and over....And I still know that it is not enough.
---
I continue to test last access time on the Win 10 1803 environment. (I repeat the same thing like a monkey. :-)
I am hoping to end this test today.
Please note that it is not a sufficient verification method.
DisableLastAccess = 2 (System Managed, Disabled) ⇒ Last Access Time updates are enabled.
The test volume F: is NTFS and the size is 149 GB.
Display properties of Dragonfly.jpg in Explorer.
Check the latest time stamp with the fsutil command.
Check the time stamp recorded on the disk.
It is different from the result of fasutil. I was able to confirm that the old time stamp was saved. This value is the same as the timestamp of the property.
Wait one hour.
Check the latest time stamp with the fsutil command. The timestamp has not changed.
The time stamp on the disk also does not change.
Display the properties of the file and update the timestamp.
Check the latest time stamp with the fsutil command.
Check the time stamp of the disk. The latest timestamp was recorded.
Perhaps, this is what I wanted to test.
In the future, I would like to consider a better verification method.
The resolution of NTFS last access time is described as 1 hour.
File Times - Windows applications | Microsoft Docs
The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access.
<2018/12/16 Add>
I tested whether Last Access Time not recorded on disk is written by shutdown processing.
Last Access Time confirmed with the fsutil command has not yet been written to disk even after 1 hour.
Shut down the system and start it. (In this system, fast startup is enabled.)
The Last Access Time seems to have been written to the disk by the shutdown processing.
I did not pay attention to the update date of the FILE record. However, it seems that it was not updated.
NTFS Last Access Time update by property display does not update Change Time. When Last Access Time is set in PowerShell, Change Time is updated.
$(Get-Item f:\Butterfly.jpg).lastaccesstime=$(Get-Date "01/01/2000 00:00 am")
Change Time is updated.
Display the properties of the file and update the Last Access Time.
Last Access Time is updated, but Change Time does not change.
Verification environment: Windows 10 1803
Reference URL:
File Times - Windows applications | Microsoft Docs
It seems that it's okay for Windows to return two different last access timestamps for the same file depending on a function called to retrieve that timestamp (when the "Last Access" updates are enabled, of course). 1/4 #DFIR
— Maxim Suhanov (@errno_fail) December 13, 2018