Re: Windows 2000 Last accessed file time stamp

["Khalil N. Zamai" <khalilnz () gmail com>]

Hi Ken,

Take a look on this registry key, it disable the Last Access Update on NTFS.

HKEY\Local_Machine\System\CurrentControlSet\Control\FileSystem

Value Name: NtfsDisableLastAccessUpdate
Value type: REG_DWORD

1 = Enable

0 = Disable


Regards,

Khalil

On 12/8/05, Ken Pedigo <kpedigo () gmail com> wrote:
> I looking at a computer that was accessed while someone was on vacation. We
> have noticed in the event viewer there are events for a system start up and
> for a shutdown on specific dates. The "Last Accessed" tab in Windows
> explorer is showing that these files were accessed on 12-2-2005 at 12:00 am.
> I'm seeing that the time never changes on any of the files accessed. I'm
> trying to figure out what was accessed on the system and why this time stamp
> is wrong.
>
> I'm thinking that if someone removed the drive and made an image of the
> drive that the time stamp would remain unchanged. I'm not sure what would
> happen if the drive was placed in a computer running XP or Server 2003. I
> ran a test on another system that is also running WIN2K, but the time stamps
> are fine. The access times are scattered. I'm also noticing that not every
> file in every directory was accessed on this day. I also ran afind on the
> system, afind did not show any conclusive information.
>
> Any help would be appreciated.
>
> Thanks
> Ken