Preventing ‘Last Access’ Chatter

The NTFS file system comes with some way cool features. Unfortunately, not all of these features are beneficial in some embedded systems. When used with EWF, one NTFS feature that is typically not desirable is "Last Access" logging. This feature keeps track of when a file or folder was last accessed as a result of either a read or a write operation.
The NTFS file system keeps a Last Access Time attribute for each file and folder on the volume. When a file is access, this attribute is updated in memory and then later the attribute is written, with a delay of up to one hour, to two places on the disk. In addition to writing this value to the file's attribute, it is also written to the Master File Table (MFT) record.
For a flash based volume, one would like to minimize the number of writes made to the volume so that the life of the memory is maximized. In many systems a RAM based EWF overlay is used for this purpose. But with the NTFS file system logging every access to every files and folders on a volume, the RAM overlay could be quickly consumed.
Not to worry, there is a way to disable the Last Access logging. And, it's not particularly painful. All you need to do is to create the following registry key on your run-time image:

Key Name: HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet \Control\ FileSystem
Name: NtfsDisableLastAccessUpdate
Value: 1

Although disabling this feature will significantly "quiet" the NTFS file system driver, this isn't the only performance enhancement you should consider. For a full list of EWF performance considerations, please read this link.
For general information on optimizing NTFS performance, you might want to read this article.

- Jim

*Updated 7/16/18- updated last hyperlink

Comments (0)

Skip to main content