Ping a Specific Port

Question

Oleg Vazhnev

Asked: 2012-01-20 21:58:50 +0800 CST2012-01-20 21:58:50 +0800 CST 2012-01-20 21:58:50 +0800 CST

How can I know when a file was last read or accessed on Windows?

772

I need to determine if a particular file was accessed in the last, say, 2 days.

Is this possible on Windows Server 2008 R2?

4 Answers

Voted

murisonc · Answer 1 · 2012-01-21T09:44:02+08:00

murisonc

2012-01-21T09:44:02+08:002012-01-21T09:44:02+08:00

Actually there is a way but it's been disabled by default since Vista/2008 and I just verified it's disabled by default in Win7/2008R2.

The registry setting NtfsDisableLastAccessUpdate located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem now defaults to 1 for performance purposes. If you change that to a 0 then NTFS will update the LastAccessTime property of the file/folder.

You can see this value by looking at the properties of the file/folder or you can pull the information with a PowerShell script. Make sure you test first though to ensure the performance hit isn't too bad.

Also NTFS won't always update the information immediately. According to Microsoft:

The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access.

9

SpacemanSpiff · Answer 2 · 2012-01-20T22:09:54+08:00

Best Answer

SpacemanSpiff

2012-01-20T22:09:54+08:002012-01-20T22:09:54+08:00

After that fact? No, I do not believe so unless an auditing ACL was inherited from a parent or set directly on the file for the "read file" permission. If you DO enable file system auditing, you can then look at the security logs to find this information which most people will pipe or transfer to some kind of tool for parsing.

You can also take a look at using something like Tripwire for maintaining file integrity if that becomes a goal.

7

Cocowalla · Answer 3 · 2012-01-31T07:56:33+08:00

Cocowalla

2012-01-31T07:56:33+08:002012-01-31T07:56:33+08:00

As @murisonc pointed out, NTFS volumes on Windows can track the last access time, they just don't by default, and it is easily enabled by setting a registry key.

You can combine this with a file integrity monitoring tool, such as Verisys or Tripwire, which can provide automated alerting and reporting.

Filesystem auditing tools may be an option too, though many rely on enabling object auditing, which can kill performance. Some others rely on filesystem filter drivers instead, but these drivers can be a bit flakey.

5

Tom · Answer 4 · 2012-01-21T06:44:52+08:00

Tom

2012-01-21T06:44:52+08:002012-01-21T06:44:52+08:00

This Guide should do the trick to enable audit on a file: http://www.discoveryourpc.net/2010/01/auditing-access-to-files-on-windows-7.html

It's for Windows 7 but is almost identical to 2008.

You could also use group policies for this. But as you stated you are not a professional admin this would not be the way for you.

You need to add a user or group to audit. I recommend adding the same group which has access on the parent folder.

You have to inform the users what you audit. In your case "file access". If you don't inform them the auditing could be illegal.

0

How can I know when a file was last read or accessed on Windows?

Can you pass user/pass for HTTP Basic Authentication in URL parameters?

Ping a Specific Port

Check if port is open or closed on a Linux server?

How to automate SSH login with password?

How do I tell Git for Windows where to find my private RSA key?

What's the default superuser username/password for postgres after a new install?

What port does SFTP use?

Command line to list users in a Windows Active Directory group?

What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

How to determine if a bash variable is empty?