Hi anyone knows how to determine when a word document was last opened(double click to view it,and then close it by click the cross 'x' without altering anything)
I tested several times but the result is that the 'last accessed time' did not change at all.Instead,it is the entry modified that really changes.Then I refer to some materials which contain the information that the entry modified mean the last time the MFT info was changed.
Interesting thing is that I just double click the file without changing anything,so the MFT information should not be altered.Why is the entry modified changed?
Any suggestions would be appreciated
I tested several times but the result is that the 'last accessed time' did not change at all.
Last access time is a file system time stamp, and depends on how you file system is configured. On Vista and up it has is disabled by default. On previous versions it can be disabled by a registry configuration.
Also, depending on the operating system level, an application can change many Standard Information time stamps at will see the Vista system call SetFileInformationByHandle() , whch allows (as far as I can make out from the documentation) a user to change all standard time stamps. On pre-Vista versions, there's the SetFileTime() call which allows the program to set the creation/last access/last modified time. (I think that last one is what we call last write time, not the entry modified time stamp). There are also device-driver level calls, not intended for application programs, that allows even further changes.
Interesting thing is that I just double click the file without changing anything,so the MFT information should not be altered.Why is the entry modified changed?
Because that's the way this application does things. And you may be mistaken about what should and should not happen.
There is no 'should/should not happen' applications are free to do what they want with the system calls that are available to them. Some do a lot, some don't do a thing.
If you want to study the file system operations in detail to decide exactly what Word does, try Process Monitor from Microsoft SysInternals.
Remember that from the file system's perspective, the MFT record number defines a file if you get a different record number, you've got a different file. Did you verify that the original file and the file left have the same MFT record number in your tests?
If document metadata is not cleaned, you may compare that to what you find in the filesystem.
Small correction regarding SetFileTime, because it will only modify 3/4 SI timestamps. Correct one is NtSetInformationFile. If you're very interested, you may want to look at the source of my "improved" AutoIt version of timestomp; http//
athulinYes, the system configuration is really important,as it did in my caseI failed to reflect the Last Accessed to the Last Opened because I set my registry key value of HKLM\SYSTEM\CurrentCOntrolSet\Control\FileSystem\NtfsDisableLastAccessUpdate to 1. When I changed it back to 0,the last accessed really changed according the the file'd opened time.
You may find what you're looking for via Registry analysis…specifically the RecentDocs key, and the Word MRU keys.
Also, given the scenario, you would likely find a Windows shortcut/LNK file. If the OS is Windows 7, then there would be a Jump List entry, as well.
If you don't find exactly what you're looking for, and you're examining a Vista or above system, consider examining VSCs.