Windows 11 Time Rules

 

Time rules for certain user file interactions are documented in the SANS red poster, tested on a Windows 10 1903 system. This blog post looks at these same user interactions with files on a Windows 11 22H2 system, with some further testing conducted on a Windows 10 21H2 system to fill in gaps (file copy to same folder, file recycle, ADS tests, and the orginal file MFT entries for file copy and move actions).

 

Note that actions shown in the red poster were not re-rested; they have simply been listed here for comparison.

Note that you may not get the same outcome for all versions of Windows 10.

 

Key:

- Values that are not highlighted are the same on Windows 10 and Windows 11.

- Values highlighted in an orange background are those that are different in Windows 11 compared to Windows 10.

 

 

$STANDARD_INFORMATION

File Creation

File Access  

File Modification

File Rename

File Copy (copy-paste)
to same folder

File Copy (copy-paste)
to new folder

Local File Move
(cut-paste)

Volume File Move (CLI)

Volume File Move
(cut-paste)

File Recycled

File Deletion (shift delete)

Create ADS

Modify ADS

Original file

New copy

Original file

New copy

New file

New file

Original file record

New file

Last modified time

Time of File
Creation

No Change

Time of Modification

No Change

No Change

Inherited from original

No Change

Inherited from original

No Change

Inherited from original

No Change

Inherited from original

No Change

No Change

Time of ADS creation

Time of ADS modification

Last access time

Time of File
Creation

Win 10: Time of Access (No change on NTFS volumes if system volume > 128GB)

 

Win 11: Time of Access

Time of Modification (approx on Win 11)

Win 10: No change


Win 11: Approx Time of Modification

Win 10: Time of File Copy


Win 11: Approx time of File Copy

Time of File Copy (approx on Win 11)

Win 10: Time of File Copy


Win 11: Approx time of File Copy

Time of File Copy

Win 10: No change


Win 11: Time of file move

Time of file move

Win 10: No change


Win 11: Time of file move

Time of file move

No Change

No Change

Time of ADS creation

Time of ADS modification

Metadata time

Time of File
Creation

No Change

Time of Modification

Time of Modification

No Change

Inherited from original

No Change

Win 10: Time of File Copy

 

Win 11: Inherited from original

Time of file move

Win 10: Inherited from original


Win 11: Time of file move

Win 10: No change


Win 11: Time of file move

Win 10: Inherited from original


Win 11: Time of file move

Time of recycle

No Change

Time of ADS creation

Time of ADS modification

Creation time

Time of File
Creation

No Change

No Change

No Change

No Change

Time of File Copy

No Change

Time of File Copy

No Change

Time of file move

No Change

Inherited from original

No Change

No Change

No Change

No Change

 

 

$FILENAME

File Creation

File Access

File Modification

File Rename

File Copy (copy-paste)

File Copy (copy-paste) to new folder

Local File Move
(cut-paste)

Volume File Move (CLI)

Volume File Move (cut-paste)

File Recycled

File Deletion (shift delete)

Create ADS

Modify ADS

Original file

New copy

Original file

New copy

New file

New file

Original file record

New file

Last modified time

Time of File
Creation

No Change

No Change

Win 10: No change


Win 11: Previous $STD_INFO Last modified time

No Change

Time of File Copy

No Change

Time of File Copy

Win 10: No change


Win 11: Previous $STD_INFO Last modified time

Time of file move

No Change

Time of file move

Win 10: No change


Win 11: Previous $STD_INFO Last modified time

No Change

No Change

No Change

Last access time

Time of File
Creation

No Change

No Change

Win 10: No change


Win 11: Previous $STD_INFO Last access time

No Change

Time of File Copy

No Change

Time of File Copy

Win 10: No change


Win 11: Previous $STD_INFO Last access time

Time of file move

No Change

Time of file move

Win 10: No change


Win 11: Previous $STD_INFO Last access time

No Change

No Change

No Change

Metadata time

Time of File
Creation

No Change

No Change

Win 10: No change


Win 11: Previous $STD_INFO Metadata time

No Change

Time of File Copy

No Change

Time of File Copy

Win 10: No change


Win 11: Previous $STD_INFO Metadata time

Time of file move

No Change

Time of file move

Win 10: No change


Win 11: Previous $STD_INFO Metadata time

No Change

No Change

No Change

Creation time

Time of File
Creation

No Change

No Change

No Change

No Change

Time of File Copy

No Change

Time of File Copy

No Change

Time of file move

No Change

Time of file move

No Change

No Change

No Change

No Change

 

 

Those access timestamps recorded as approximate were all a few milliseconds to a few seconds different (more often later than earlier) to the time of the actual user action. However, there was no consistency in how big or small a difference there was between the times, so further specifics could not be recorded.

 

UPDATE: I had a student question in FOR500 - does the creation or modification of an Alternate Data Stream (ADS) affect the MFT timestamps?

So... I did some more testing and added the two right-most columns to the table above. The result was the same on Windows 10 21H2 and Windows 11.

 

Print | Sitemap
© Khyrenz 2022