1

I have a third-party application installation program that installs a sys file in the folder C:\WINDOWS\system32\drivers. I want to get the actual date it was placed on the file system, ultimately programmatically, so that I can write a tool that shows driver files that were added following installation of the operating system.

Unfortunately the Date Created timestamp for the sys file shown in Windows Explorer is in the past and does not correctly show the date the file was placed on the file system (it is a few years ago). As yet I don't know how a file can be placed on the file system with a created date in the past. Nevertheless I expect GetFileTime to return this same information.

How do I get the actual date the file was added to the (NTFS) file system? Is this possible even?

I've had a look at How to get date/time when file was placed in a directory on Windows? but this does not help.

fractor
  • 1,534
  • 2
  • 15
  • 30
  • There are system calls to overwrite every date that the file system keeps track of, so there's no guaranteed way to get what you ask. Windows will copy the creation date of a file when you copy it from one disk to another for example. – Mark Ransom Dec 04 '18 at 16:33
  • @MarkRansom So we're thinking the old (wrong) date must have been written following the file being placed on the file system? i.e. When the file was originally placed it had the correct created date, but the installer then overwrote that date? – fractor Dec 04 '18 at 16:40
  • An installer is certainly capable of changing the creation date. I've seen file dates changed to an arbitrary value just for versioning, so all the files installed have the same date and time. – Mark Ransom Dec 04 '18 at 16:47
  • 2
    NTFS has two sets of time, in the "standard information" ($SI) and "file name [information]" ($FN) attributes. The $SI times are used by Windows Explorer (etc), while Windows plays the $FN attributes closer to the vest. I _believe_ that the $FN create time will give you what you want, unless the installer did something really weird. Sorry I can't give you a programmatic solution. Just pointing out a direction that may help. – s.co.tt Dec 06 '18 at 20:31

0 Answers0