Last Accessed Timestamps

I was speaking with Microsoft Tech Support recently about some disk performance issues and an interesting point came up. On large NTFS volumes, the Enhanced Write Filter performance can be sped up by making a registry change to disable the last access date/time stamps. This disables the last access information written to each file as it is accessed, resulting in faster disk read-access:

In the Registry, create HKLM\System\CurrentControlSet\Control\FileSystem\Disablelastaccess and set to 1.

(you can also run an fsutil command in Windows 7/2008: fsutil behavior set disablelastaccess 1)

Microsoft like this idea so much, that the default setting in Windows 7 and Windows Server 2008 is to have the last access disabled (something I have verified on my Windows 7 laptop and in a Windows Server 2008 Standard VM).

This has interesting repercussions for security and computer forensics personnel. If nothing else, if left with the default settings, it removes a tool from the investigation arsenal.

0 Response to "Last Accessed Timestamps"

Post a Comment

powered by Blogger | WordPress by Newwpthemes | Converted by BloggerTheme