16
2
We have a client where it would be very useful to determine WHEN a drive was a initialized or an NTFS partition created. Is there a timestamp value somewhere? If anyone could shed any advice it would be greatly appreciated.
Thanks!
-slashp
slashp
Posted 2012-01-11T17:54:50.973
Reputation: 515
17
The CIFS transaction is TRANS2_QFSINFO and the information level is SMB_QUERY_FS_VOLUME_INFO. The native Windows NT API function for querying a volume's creation time is ZwQueryVolumeInformationFile(), which yields a FILE_FS_VOLUME_INFORMATION data structure (almost identical to the CIFS one, note) when asked for the FileFsVolumeInformation class of information. Testing that this query works is part of the IFS tester that Microsoft supplies to driver developers.
Interestingly, no-one appears to have written a handy utility that just queries a volume and prints its creation timestamp in human readable form.1 The nearest that you are going to get as far as I can tell is to crank up SysInternals' procmon tool and look for the volume information queries streaming by. Perhaps someone reading this will be inspired to create an enhanced vol command.
Yes, the volume creation timestamp is properly initialized, and isn't just set to zero or some other constant. I haven't checked, but my educated guess for the storage location of this information is the $STANDARD_INFORMATION attribute of the $Volume MFT entry. I can think of three other possible places, but that's the most logical one.
1grawity's utility just needs a little more polish, including simple uses of FileTimeToSystemTime() and GetTimeFormat(), to make it usable for end-users that cannot decode Win32 timestamps in their heads. ☺
JdeBP
Posted 2012-01-11T17:54:50.973
Reputation: 23 855
Wow, I give you a +1 for this answer because it was exactly what I was looking for. Unfortunately, I am not a Win32 API programmer with knowledge of the system internals and was looking for a quick solution. Good thought with the procmon. Thanks though!!! – slashp – 2012-01-11T20:34:06.220
8
There is no "volume creation date" that I know of built-in to NTFS. However, you should be able to approximate the creation date quite closely by looking at the creation date of the System Volume Information directory in the root of the volume.
Andrew Lambert
Posted 2012-01-11T17:54:50.973
Reputation: 7 136
2This gives me a very good approximation. Thank you for your quick response! Now I know who to blame for the drive not being included in our backups :). – slashp – 2012-01-11T18:44:12.687
0
This is exposed somewhere. If you boot up a Windows XP CD and access the recovery console, the version of chkdsk there will print out the volume creation date after it is finished running.
Aaron
Posted 2012-01-11T17:54:50.973
Reputation: 349
Just an idea but could you reverse the volume UUID computation to get a date/time? (I don't know how the UUID is generated so it would take some research to find out and it may not be possible at all.) – Chris Nava – 2012-01-11T18:24:16.967
1@ChrisNava: The unique ID used in NTFS is not a 128-bit UUID but a random 64-bit number. (Besides, modern systems do not generate type 1 time-based UUIDs either; type 4 random-based UUIDs are preferred for privacy. If it were a type 1 UUID, though, then there would not be any computation to reverse; the timestamp is stored in plain sight.) – user1686 – 2012-01-11T18:41:27.430