The table below contains the default/most probable observed behaviour depending on Windows version. Be sure to read the notes regarding Windows 7 and Windows 10.
Always verify the value of HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate during triage.
NTFS Last Access Update | |
---|---|
XP | ✔️ |
Vista | ✔️ |
7 | ❌¹ |
8 | ❌ |
8.1 | ❌ |
10 | ❌¹² |
2000 | ✔️ |
2003 | ✔️ |
2008/R2 | ❌ |
2012/R2 | ❌ |
2016 | ❌ |
2019 | ❌ |
- https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc758569(v=ws.10)
- [1] https://dfir.ru/2018/12/16/the-inconsistency-of-last-access-timestamps/
- [2] https://dfir.ru/2018/12/08/the-last-access-updates-are-almost-back/
- https://techcommunity.microsoft.com/t5/storage-at-microsoft/disabling-last-access-time-in-windows-vista-to-improve-ntfs/ba-p/423328