The table below contains the default/most probable observed behaviour depending on Windows version. Be sure to read the notes regarding Windows 7 and Windows 10.
Always verify the value of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate during triage.
| NTFS Last Access Update | |
|---|---|
| XP | ✔️ |
| Vista | ✔️ |
| 7 | ❌¹ |
| 8 | ❌ |
| 8.1 | ❌ |
| 10 | ❌¹² |
| 2000 | ✔️ |
| 2003 | ✔️ |
| 2008/R2 | ❌ |
| 2012/R2 | ❌ |
| 2016 | ❌ |
| 2019 | ❌ |
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc758569(v=ws.10)
- [1] https://dfir.ru/2018/12/16/the-inconsistency-of-last-access-timestamps/
- [2] https://dfir.ru/2018/12/08/the-last-access-updates-are-almost-back/
- https://techcommunity.microsoft.com/t5/storage-at-microsoft/disabling-last-access-time-in-windows-vista-to-improve-ntfs/ba-p/423328