Does anyone have specifics on what actually changes modified dates on files,
etc. in NTFS?

Thank you!
-Matt

-----Original Message-----
From: Jeff Rosowski [mailto:rosowskiactiveiq.com]
Sent: Thursday, August 16, 2001 11:31 AM
To: fhrcs.urz.tu-dresden.de; FOCUS-MSsecurityfocus.com
Subject: RE: NTFS Access times

That's one of the things I never liked about windows explorer.. When you
enter into a directory it opens every single file and tries to read an icon
for it. Go into a directory with thousands of files in it and you're
machine is out to lunch for awhile. And unfortunately this makes the last
accessed time in NTFS one of the more useless items, since if you're looking
at the files in windows explorer, they are always going to be accessed
recently.

-----Original Message-----
From: Frank Heyne [mailto:fhrcs.urz.tu-dresden.de]
Sent: Wednesday, August 15, 2001 10:43 AM
To: jfolkertsmarketlink.ca; FOCUS-MSsecurityfocus.com
Subject: RE: NTFS Access times

On 15 Aug 2001, at 10:59, jfolkertsmarketlink.ca wrote:

> I am very curious as to why or how
> these files got "touched". At this point I do not suspect that the server
> has been compromised or anything evil.

I did the following:

cd \winnt\system32
dir hal.dll /ta

This showed exactly the current time - I do not know why.

Then I tried it with another dll:

dir h323msp.dll /ta
It showed the install date

But after I viewed the properties of this file in the explorer, the last
access time had changed.

So it would be possible someone did just view the properties of some
files on your system - probably nothing dangerous.

BTW, in your original post, I miss the following information:
How long are you running tripwire? Since 2 days or longer?

BTW, did you know that it is possible to view the content of a file without
changing its last access time under NT?

Frank Heyne

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]