How can I know when a file was last read or accessed on Windows?

Solution 1:

Actually there is a way but it's been disabled by default since Vista/2008 and I just verified it's disabled by default in Win7/2008R2.

The registry setting NtfsDisableLastAccessUpdate located in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem now defaults to 1 for performance purposes. If you change that to a 0 then NTFS will update the LastAccessTime property of the file/folder.

You can see this value by looking at the properties of the file/folder or you can pull the information with a PowerShell script. Make sure you test first though to ensure the performance hit isn't too bad.

Also NTFS won't always update the information immediately. According to Microsoft:

The NTFS file system delays updates to the last access time for a file by up to 1 hour after the last access.

Solution 2:

After that fact? No, I do not believe so unless an auditing ACL was inherited from a parent or set directly on the file for the "read file" permission. If you DO enable file system auditing, you can then look at the security logs to find this information which most people will pipe or transfer to some kind of tool for parsing.

You can also take a look at using something like Tripwire for maintaining file integrity if that becomes a goal.

Solution 3:

As @murisonc pointed out, NTFS volumes on Windows can track the last access time, they just don't by default, and it is easily enabled by setting a registry key.

You can combine this with a file integrity monitoring tool, such as Verisys or Tripwire, which can provide automated alerting and reporting.

Filesystem auditing tools may be an option too, though many rely on enabling object auditing, which can kill performance. Some others rely on filesystem filter drivers instead, but these drivers can be a bit flakey.