Accessed Time - what actions cause it to be updated?

Restoring from a backup will change it.

Can anyone cite specific example actions that cause accessed time to be updated? I am looking for actions other than virus scans … more along the lines of user activity like opening a file, etc.

Have you checked the UserAssist keys? RecentDocs? ACMru? Opening the file for any reason, using the file's associated application to read it, or just running a search over the drive/folder may all be responsible for modifying the last accessed time.

Rather than looking for all of the actions that might have caused this, why not try to narrow that down a bit?

Does anyone know a source? Can anyone cite specific example actions that cause accessed time to be updated? I am looking for actions other than virus scans … more along the lines of user activity like opening a file, etc.

I suspect that's the wrong approach.

Last Accessed Time is closely connected to file system events … not user events. Trying to build a bridge from one to the other is likely to be a very messy business, particularly as it is depends on the software you are running, and the 'style' of the programmer(s) who created it. Software writers are not particularly known for doing everything the same (or even the right) way.

I think the first signal to change LastAccessTimes is sent when the Windows CreateFile() (or a near relative) is called, and subsequent signals are sent when the handle returned from that function is passed to other Windows functions, including CloseHandle(). But I have found very little direct documentation to support this.

Working the other way, and figuring out for what reason someone calls these functions feels a bit like trying to run Conways Game of Life backwards.