Windows Enterprise Desktop

Apr 18 2019   12:02PM GMT

MFTRCRD64 Shows More NTFS Timestamps

Ed Tittel Ed Tittel Profile: Ed Tittel

File management
Windows 10

Recently, working on a legal project I found myself having to explain timestamps for computer files. That’s when I stumbled across Joakim Shicht’s excellent but cryptic Master File Table (MFT) Record decoding tool. And while my particular focus was on file timestamps, a quick look at the help file for this command shows that it can do a lot more than display file metadata. In addition, it can dig into and display many aspects of the MFT itself for any NTFS volume.  If this is something of interest to you, download this tool from Github at jschict/MftRcrd. Here’s what it shows about timestamps when I look at an older install.wim file in a temp directory, for example:

MFTRCRD64 Shows More NTFS Timestamps.timestamps

In addition to the more usual create and modifed timestamps, you also get MFT entry modified and file last access timestamps, too. Sometimes, when proving dates, all of this info is important.

MFTRCRD64 Shows More NTFS Timestamps … Plus!

Shicht built a very nice interrogation tool for NTFS file metadata (or its equivalent as stored in the MFT), and for on-disk MFT structures themselves. The best way to learn about the command (its readme.txt file is empty: 0 length, that is) is to use the help command — namely:
mftrcrd64 /?
Here’s what that output looks like:

The help file has lots of good examples to guide you into the program’s inner workings. It’s the best way to explore what it can tod for you.
[Click image for full-sized view.]

More MFT Information

To start learning more about the Master File Table (MFT), check out this MS Windows Dev Center article entitled “Master File Table.” is another great source of information, too. Their MFT section is definitely worth reading as well. The NTFS section in Part 2 of Windows Internals (by Mark Russinovich and others) is also worth a look-see (I’ve got the 6th edition, but the 7th edition is out now, too).

 Comment on this Post

There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

Share this item with your network: