Bugtraq mailing list archives
RE: Win2K/NTFS messes file creation time/date
From: "Mark Norman" <mark.norman () lmiv com>
Date: Mon, 16 Jul 2001 11:37:26 -0500
<delurk> Hello all, Just wanted to provide y'all with some info.
On Wed, 11 Jul 2001, Acryl wrote:Again the 3 files were created, but the Creation time/date was set wrong, namely it was set to the very first creation time( before Ideleted them by hand ). Any following runs of the programproduced thesame results.This is known behavior. There is a window during which the "sticky" behavior will occur. In fact, certain MS apps (e.g. Word)rely upon thisbehavior.Known to who? Is it documented anywhere?
It's called file tunneling....... "The idea is to mimic the behavior DOS programs expect when they use the safe save method. They copy the modified data to a temporary file, delete the original and rename the temporary to the original. This should seem to be the original file when complete. Windows NT performs tunneling on both FAT and NTFS file systems to ensure long/short file names are retained when 16-bit applications perform this safe save operation. " It can also be disabled via the Registry so I'm pretty sure its a feature.
Anyone involved in technical support or trouble shooting is likely to have the MS technet documentation.
Or access to the internet ;) http://support.microsoft.com/support/kb/articles/Q172/1/90.asp?LN=EN-US&; SD=gn&FR=0&qry=ntfs%20and%20timestamp&rnk=1&src=DHCS_MSPSS_gn_SRCH&SPR=W IN2000
On my CD, chapter 17 of the "Windows 2000 Professional System Configuration and Management", on file systems, has a section on NTFS file attributes, which look like an obvious place to start. Also a section on the Change log. But there is no indication that "created" means anything different on NTFS than it did on FAT. I haven't found it in 3 or 4 other likely looking documents. As it is, all sorts of questions follow from it. What is the window?
By default it's 15 seconds
Where does NTFS store the information while the old file doesn't exist?
The notorious Windows-Temporary files
(Is it the change journal? It isn't mentioned.) What happens to Word if someone accidentally or deliberately breaks the mechanism? The behaviour is easy to replicate as described, and I can also make it happen from the command line without bothering with all that mouse clicking. It sure looks like a bug or a vulnerability to me. Ken Brown
<relurk>
Current thread:
- Win2K/NTFS messes file creation time/date Acryl (Jul 15)
- Re: Win2K/NTFS messes file creation time/date Gerald Carter (Jul 15)
- Re: Win2K/NTFS messes file creation time/date Ken Brown (Jul 16)
- Re: Win2K/NTFS messes file creation time/date Gerald Carter (Jul 16)
- Re: Win2K/NTFS messes file creation time/date Ken Brown (Jul 16)
- <Possible follow-ups>
- Re: Win2K/NTFS messes file creation time/date Justin Nelson (Jul 16)
- RE: Win2K/NTFS messes file creation time/date Mark Norman (Jul 16)
- RE: Win2K/NTFS messes file creation time/date Michael C. Bazarewsky (Jul 16)
- Re: Win2K/NTFS messes file creation time/date Ken Brown (Jul 17)
- Re: Win2K/NTFS messes file creation time/date Gerald Carter (Jul 15)