How do I access a file without changing Last Access time?

How do I access a file without changing Last Access time?

Post by Ym9iazEyMz » Wed, 07 Oct 2009 21:25:02


I found that after I open a file I can use SetFileTime with a -1 in the Last
Access time, which will preserve the Last Access time.

The problem I have with doing that is I need to open the file with
FILE_WRITE_ATTRIBUTES permission, since the SetFileTime does actually modify
an attribute of the file. I would like to find a way to do this without
opening the file with any type of WRITE access. The reason is when I do a
SetFileTime, it will update the USN of the file (Update Sequence Number in
the NTFS journal). This can cause re-indexing of the files depending on
applications loaded.

It appears that the new anti-virus from MS (Security Essentials) seems to
preserve the last access MAGICALLY during a file scan. It opens the files
with read access only, reads the files, closes them and the last access never
updates (as you would hope). In using Process Monitor I never see it call
SetFileTime. In fact, it seems to open each file 3 times, with only read
access.

Any ideas?

Thanks,
Bob
 
 
 

How do I access a file without changing Last Access time?

Post by Jochen Kal » Wed, 07 Oct 2009 21:34:11

Hi bobk123456!



Maybe they are using "FILE_FLAG_BACKUP_SEMANTICS" during CreateFile...
But I have not tested this...

You can use the APILogger to display the API Parameters of any process:
See:
http://www.yqcomputer.com/

--
Greetings
Jochen

My blog about Win32 and .NET
http://www.yqcomputer.com/

 
 
 

How do I access a file without changing Last Access time?

Post by Ym9iazEyMz » Wed, 07 Oct 2009 22:37:01

Hi Jochen,

Thanks for your quick reply.

I also use BACKUP_SEMANTICS but it doesn't affect last access.

Very interesting about API logger. It seems to provide a lot more info than
process monitor. The problem I have is I can't find any way to attach to an
already running process. The MS antivirus is a service that is already
running and cannot be started from the command prompt. Is there a way to
attach to a service?

Thanks,
Bob
 
 
 

How do I access a file without changing Last Access time?

Post by Leo Davids » Thu, 08 Oct 2009 01:26:01

On Oct 6, 1:25m, XXXX@XXXXX.COM


Keep in mind that the OS can be "lazy" about updating the accessed
timestamp. I think, though I may be mis-remembering, that Vista and 7
default to never updating it at all while XP only updates it if the
file hadn't been accessed for an hour or two.

That can make it difficult to tell what other programs are doing to
the timestamp and whether they're doing it on purpose or not.

Because of this I've long considered the access timestamp a useless,
legacy attribute except on carefully controlled/configured systems.
Anything that relies on it probably isn't going to work very well so
it rarely seems worth trying to preserve the attribute. Fair enough if
you want or need to, though. Just wanted to mention this stuff in case
it helps as it can be pretty confusing trying to understand how/when/
why the timestamp is updated just by looking at what happens to it.
 
 
 

How do I access a file without changing Last Access time?

Post by Ym9iazEyMz » Thu, 08 Oct 2009 02:32:01

Leo,

It can certainly take up to an hour for the Last Accessed time to be updated.

HSM applications, such as Bridgehead or DiskXtender use Last Accessed time
to determine if a file is inactive. They typically create rules such that if
a file is not accessed for a length of time, its contents are moved to
offline storage. A program such as a virus scan or backup must not change the
last access time, otherwise it will appear that all of the files are active.

Thanks,
Bob
 
 
 

How do I access a file without changing Last Access time?

Post by Jochen Kal » Thu, 08 Oct 2009 02:38:03

Hi bobk123456!


As Leo said:
This feature is disabled starting with Vista!
http://www.yqcomputer.com/


--
Greetings
Jochen

My blog about Win32 and .NET
http://www.yqcomputer.com/
 
 
 

How do I access a file without changing Last Access time?

Post by Ym9iazEyMz » Thu, 08 Oct 2009 04:40:01

Isn't that interesting. I knew about that registry flag but I never thought
it would be disabled by default.

I checked also Windows 7, Server 2008 and Server 2008R2. All of them have
this disabled by default.

Thanks,
Bob