The “Last Access” updates are almost back

~ msuhanov

The purpose of this post is to record the recent findings related to the NTFS “Last Access” updates in Windows 10.

According to ForensicsWiki:

In Windows Vista (presumably as of Windows XP SP3), NTFS no longer tracks the Last Access time of a file by default.

This is no longer the case in the recent versions of Windows 10.

In previous versions of Windows, the “NtfsDisableLastAccessUpdate” value* could be set to 0 or 1 (to enable or disable the “Last Access” updates respectively). In Windows 10 “Redstone 4” (April 2018 Update) and “Redstone 5” (October 2018 Update), this value has new semantics.

* – this value is located in the following registry key: “HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem”.

The “NtfsDisableLastAccessUpdate” value may contain one of the following integers:

  • 0x80000000: User Managed, the “Last Access” updates are enabled,
  • 0x80000001: User Managed, the “Last Access” updates are disabled,
  • 0x80000002: System Managed, the “Last Access” updates are enabled,
  • 0x80000003: System Managed, the “Last Access” updates are disabled.

The most significant bit indicates that the value is using the new semantics. The least significant bit indicates the status of the “Last Access” updates (when set, these updates are disabled), the next bit is set when the “Last Access” policy is in the “System Managed” mode (and it’s set by default).

In the “System Managed” mode, the NTFS driver can enable or disable the “Last Access” updates during the boot (in particular, when the system volume is mounted). The “Last Access” updates are enabled for NTFS volumes when the size of the system volume (which is usually mounted as the “C:” drive) is 128 GiB or less. If the system volume is larger, then the “Last Access” updates are disabled.

The volume size threshold can be modified by writing an integer to the “NtfsLastAccessUpdatePolicyVolumeSizeThreshold” value (in the same registry key as above). The integer must specify the new threshold in GiB (not in bytes). This value doesn’t exist by default.

In the “User Managed” mode, the status of the “Last Access” updates isn’t modified by the system during the boot.

This is it!

Update (2018-12-10):

The NTFS driver doesn’t execute the “System Managed” logic when the product type isn’t equal to VER_NT_WORKSTATION. Thus, this logic isn’t executed on server versions of Windows.

Update (2019-10-09):

It seems that Microsoft disabled the system volume size threshold by default in recent Insider Preview versions of “20H1”. In these versions, the “Last Access” updates are enabled by default regardless of the system volume size.

Published by msuhanov

3 thoughts on “The “Last Access” updates are almost back

  1. Pingback: Week 49 – 2018 – This Week In 4n6
  2. Pingback: Updates | | IT Security News
  3. Pingback: OneDrive and NTFS last access timestamps – My DFIR Blog

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s