Windows file LastAccessTime (faceplant)

I am probably the only one left who didn’t know, but I just found out that Microsoft, in its infinite wisdom, disabled the updating on LastAccessTime in the file systems ever since Vista days.  It affects both desktop and server OS versions. This means you get the LastModifiedTime instead. Which is pretty useless if you want to find files which have not been used recently, or conversely, want to find files that have been accessed at a time you would not have expected (e.g. for forensics).

To check your systems, you can use (at a command prompt run as Administrator)

fsutil behaviour query

 To enable correct access time logging, use

fsutil behavior set disablelastaccess 0

 But as I said, I am probably the last person to find this out. And when I found out, I did a full-on face plant…

Advertisements

Leave a comment or reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s