FAT timestamp behaviour

http//support.microsoft.com/kb/299648

The only missing part is timestamp modification based on disk actions (for example emulating copy, read, write, file creation, move etc). I am positive I've read an article somewhere about how timestamps change if a Windows computer makes these modifications but I can't easily find anything right now.

What exactly is it you are trying to emulate? Windows system calls? (CreateFile, ReadFile, WriteFile, …) DOS system calls? Or higher-level operations, like Windows Shell GUI copy etc? Or perhaps at intermediate levels, such as .NET? Or perhaps even FAT-implementations on other platforms?

They need not be the same. Windows Shell, for example, is known for adding additional behaviour on top of the basic file system operations, particularly when file copying is involved.

If you have decided on the WinAPI level, you may have lots of other system calls to take into account, as well – see the list of File Management functions, as well as Directory Management, and not impossibly others. (Some you will undoubtedly have to research yourself – or you may miss difficult-to-find side effects. For example – does the file allocation change as a side effect? Or the order of file entries in a directory? Or the contents of the free list? Or … ? For example, I know that file encryption in NTFS creates a temporary file in the same directory which is then deleted. That kind of change may be present also in FAT-related situations.)

As you restrict yourself to timestamps, however, keep in mind that much of publish research is performed on a Shell level. That is, the reported effects are not related to a particular file system, but also Windows Shell effects. Also, I can't think of anything for FAT – Rob Lee's fairly recent SANS blog article is on NTFS, for example.

Thanks.

This is not truly exact science what I'm trying to do here. I know different APIs and interfaces handle timestamps differently. For me it is important only to choose one and use it consistently to implement a couple of different operations and definitely not all of them.

Hannu

Thanks.

This is not truly exact science what I'm trying to do here. I know different APIs and interfaces handle timestamps differently. For me it is important only to choose one and use it consistently to implement a couple of different operations and definitely not all of them.

Hannu

Maybe (just maybe) you are referring to KB299648
http//support.microsoft.com/kb/299648/en-us

There is also this nice graphically summed up article here
http//digfor.blogspot.it/2008/10/time-and-timestamps.html

jaclaz

Thanks.

This is not truly exact science what I'm trying to do here. I know different APIs and interfaces handle timestamps differently. For me it is important only to choose one and use it consistently to implement a couple of different operations and definitely not all of them.

Hannu

Maybe (just maybe) you are referring to KB299648
http//support.microsoft.com/kb/299648/en-us

There is also this nice graphically summed up article here
http//digfor.blogspot.it/2008/10/time-and-timestamps.html

jaclaz

Thanks. I still need to test how renaming a file works but this was very helpful.

Hannu