The “Modified Time” file attribute of NTUSER.DAT changed
Article ID: 173941
Updated On:
Products
Issue/Introduction
The “Modified Time” file attribute of NTUSER.DAT changed after a Manual or Scheduled scan
Resolution
You may find the “Modified Time” file attribute of NTUSER.DAT changed after a Manual or Scheduled scan but Symantec Endpoint Protection did not make the change. When Symantec Endpoint Protection scans the profile, it will load NTUSER.DAT to scan the user registry hive. Symantec Endpoint Protection does not modify NTUSER.DAT, it only loads and scan.
If you want to confirm that Symantec Endpoint Protection is not changing the Timestamp on NTUSER.DAT, use Procmon to record the processes. By examining the Procmon this will allow you to validate that Symantec Endpoint Protection is not making the change.
Examine the QueryBasicInformationFile and SetBasicInformationFile from the Procmon and you will see the Lastwrite and Changetime.
Example:
instead of WRITEFILE look for querybasicinformationfile:
- 29:04.1 ccSvcHst.exe 2524 QueryBasicInformationFile C:\Users\xxxxxxx\NTUSER.DAT SUCCESS CreationTime: 12/14/2018 10:38:37 AM, LastAccessTime: 1/7/2019 12:44:46 PM, LastWriteTime: 1/7/2019 12:44:46 PM, ChangeTime: 1/4/2019 8:37:04 AM, FileAttributes: HANCI
Note the Lastwrite time of one time and the next line will be setbasicinformation:
- 29:04.1 ccSvcHst.exe 2524 SetBasicInformationFile C:\Users\xxxxx\NTUSER.DAT SUCCESS CreationTime: 12/14/2018 10:38:37 AM, LastAccessTime: 1/7/2019 2:29:04 PM, LastWriteTime: 1/7/2019 2:29:04 PM, ChangeTime: 1/4/2019 8:37:04 AM, FileAttributes: HANCI
The following Microsoft article references Modified time on Windows 7 and 2008. It seems to be happening again in Windows 10.
The "Modified time" file attribute of a registry hive file is updated when an application loads and then unloads the registry hive file without making any changes on a computer that is running Windows Server 2008 R2 or Windows 7
For further clarification on this behavior, please reach out to Microsoft.
Feedback
