What’s the difference between LastWriteTime and ChangeTime in FILE_BASIC_INFO?


The FILE_BASIC_INFO structure contains a number of fields which record the last time a particular action occurred. Two of the fields seem to describe the same thing.

Last­Write­Time
The time the file was last written to.

Change­Time

The time the file was changed.

What's the difference between writing to a file and changing it?

I'm told that the difference is metadata. The Last­Write­Time covers writes to the file's data stream (which you accomplish via the Write­File function). On the other hand, the Change­Time also includes changes to the file metadata, such as changing its file attributes (hidden, read-only, etc.) or renaming the file.

(And don't forget that Last­Access­Time updates are off by default now.)

Comments (9)
  1. Dan Bugglin says:

    I'm guessing ChangeTime also covers Alternate Data Streams, which are usually also considered metadata.

  2. Joshua says:

    Change Time is inherited from UNIX and if it cannot be reset like UNIX, it is a good way of asking the OS whether somebody has been tampering with the file.

    It is normally the last time file attributes were changed, and since last write time is an attribute, …

    Exercise for the reader: why does changing last access time not change the change time?

  3. tonyr says:

    if lastaccesstime is off by default and you have an application that reads this info what modifications to the app canneed to be changed to in order to get the last access time, other then just enabling last access time or is that the only option.  Is there some other structurevalue that we should be reading?

    [Remember the rationale for disabling lastaccess time. That should answer your question. -Raymond]
  4. configurator says:

    @tonyr: How would the OS know? If it doesn't track data, it's gone. To know when a file was accessed, you need to enable this feature, before the file is accessed.

  5. Dave says:

    @Joshua, count the updating of LastAccessTime as a change? That's just crazy talk.

  6. tonyr says:

    @configurator, yep knew that, it was a stupid ? on my part!

  7. Dan says:

    @Joshua then ChangeTime would be a useless field since it would always reflect lastaccesstime when lastaccesstime updating is on.

    Also any of these fields can be modified at will.  There are tools to do it, plus the super determined can always boot off a Linux CD and modify the values, whether they use specialized tools or just a hex editor on the raw disk.  No OS-level restrictions will make any difference.

  8. Jim says:

    @Dan

    How does the super determined but non-root remote user with a file on my file server boot it off a Linux CD or other wise do anything other than access their files how I want them to?

  9. Jim Lyon says:

    @Dan: "Any of these fields can be changed at will."

    Actually, I discovered a while ago that an attempt to set the ChangeTime counts as a change, and immediately sets the ChangeTime to the current time.  I don't know whether this is considered a feature or a bug. But it is a fact, at least for NTFS.

    (Dan's other point is of course true: if you go around the file system, you can change anything.)

Comments are closed.

Skip to main content