Just brushing some dust off the old topic of timestamp manipulation on NTFS. Version 1.0.0.10 of SetMace now implements a kernel mode driver, thus removing a lot of the restrictions put on the previous versions.

reboot.pro/topic/15960-setmace/

Now I think the project has reached a dead end, unless someone else wants to take it further into handling the raw structures of shadow copies..
_________________
Joakim Schicht

github.com/jschicht 

- joakims

Now I think the project has reached a dead end, unless someone else wants to take it further into handling the raw structures of shadow copies..

And then a few more fixes was done, to support MFT record size of 4096 bytes, dumping of timestamps from parent's INDX, as well as fixing an issue with synchronization of $STANDARD_INFORMATION timestamps and those found in the INDX of the parent.

Regarding the latter, it turned out a simple call to NtQueryInformationFile would force Windows to synchronize them.
_________________
Joakim Schicht

github.com/jschicht 

Added support for shadow copy timestamp modification, among other things. Now, also being a PoC for showing how to modify data within a Shadow Copy.
_________________
Joakim Schicht

github.com/jschicht