Interesting situation here.
Hard drive has say 4k files accessed at exactly the same time, but all the other files are accessed days before.
So like 6k files accessed 9/10/08 @ 1000AM Win XP Case is over with now, and don't have access to the computer as this was not the focal point so it wasn't investigated further. Computer was supposed to be locked in IT directors office and not to be turned on at all after say 8/20/08 @ Noon.
The files are all across the place, so it's not like very specific files were accessed
Some path examples
Local Settings\Temp
\Favorites\Comcast
My Documents\info\Jeanes Info\e-mail
My Documents\My Pictures\various pictures\Manchester goal.jpg
\Administrator\Recent\daily inventory (2).lnk
\Administrator\Desktop\Business plan\cutco knives\
I show you this because of the diverse nature of the locations of files.
However with only several thousand files being touched, many more on the computer in fact the majority were not 90%
Any ideas as to what might cause this? I can't imagine a defrag being selective in deep and very different directories. Or a partial AV scan.
I do not have access to the machine so I can't go back and grab any logs, just looking for off the top of your head ideas.
Given that this is XP, there are a number of possibilities…
One would be an AV scan. Another might be a limited defrag…XP runs one of these by default every three days. Another might be backup. Or there might be some other application at work here. Or it could be from a shutdown, or a Restore Point being created.
Without more information, and you being able to go back and do some further analysis (I know you said you can't), any responses are going to be speculation, most of which will be baseless. Sorry.
Given that this is XP, there are a number of possibilities…
Can XP switch on itself? 😯
Computer was supposed to be locked in IT directors office and not to be turned on at all after say 8/20/08 @ Noon.
First possibility IMHO is that no matter what the computer was supposed to be in theory, someone in practice switched it on when they should have not. wink
jaclaz
In my mind I went through the limited defrag and the av scan, but then thought that it scans a my documents file (but not the entire directory) and then scans temp, moves on over to a specific software folder like
program files\widget software\
You'd spend days picking specific directories and files to be scanned while saying scan 2 documents in this folder, but forget about the 1k others.
Given that this is XP, there are a number of possibilities…
Can XP switch on itself? 😯
Computer was supposed to be locked in IT directors office and not to be turned on at all after say 8/20/08 @ Noon.
First possibility IMHO is that no matter what the computer was supposed to be in theory, someone in practice switched it on when they should have not. wink
jaclaz
Harlan, thanks for the reply.
Baseless is ok, this is more of a "things that make you say hmmmm" type thing
Just throw out any ideas you have, I'm willing to set up something and attempt to test.
Given that this is XP, there are a number of possibilities…
One would be an AV scan. Another might be a limited defrag…XP runs one of these by default every three days. Another might be backup. Or there might be some other application at work here. Or it could be from a shutdown, or a Restore Point being created.
Without more information, and you being able to go back and do some further analysis (I know you said you can't), any responses are going to be speculation, most of which will be baseless. Sorry.
AV or defragmentation tools would be my first suspects but, as Harlan suggests, more info would be needed to come to any supportable conclusion. I wouldn't discount their use on the basis that the order of the access dates of files does not correlate with their locations in the folder hierarchy.
I understand that you can't look at the original source again, but do you have a complete file listing among your case records? If so, you could look for other artifacts with timestamps around the relevant time (in the case of AV or defragmentation tools I'm thinking particularly of dates on prefetch files, associated program files, logs etc).
Wake on LAN? Some apps also (BigFix, Vontu) can force a wake-on state…
Given that this is XP, there are a number of possibilities…
Can XP switch on itself? 😯
jaclaz
Hi,
I was thinking something like that, but to only access very specific files was just too weird for that. It would have to wake up and only want to touch those files and leave the vast majority alone.
Thank you for all help.
Wake on LAN? Some apps also (BigFix, Vontu) can force a wake-on state…
Given that this is XP, there are a number of possibilities…
Can XP switch on itself? 😯
jaclaz
Without additional information and more specific information, we can only speculate about the possibilities.
Did you check if all the accessed files had the exact same timestamp? I mean they all had 1000xx AM precise or was it between 100000 and 100059 ?
I would not rule out that the machine was indeed turned on. Maybe not directly, maybe the HD was pulled out and plugged into another computer for viewing, so you dont see the usual boot signs.
Another possibility is that earlier someone may have changed the system clock, moved it forward and then back to normal. Event logs should confirm any such behavior if it was changed from within windows.
Or maybe a combination of the above two, with clock different on second computer.
There are a few such oddities found to occur with Sleep/Hibernate and wake on lan also as suggested by few others, but since the interval is big and computer was at least supposed to be turned off, they seem unlikely.