How to Check File Last Access Time in Windows Server 2008 R2 Using PowerShell and CMD


3 views

When troubleshooting or auditing file systems on Windows Server 2008 R2, checking a file's last access time can be crucial for security investigations or maintenance routines. Here's a comprehensive guide to accomplish this.

Windows NTFS filesystem maintains three primary timestamps:

  • CreationTime
  • LastWriteTime (modification time)
  • LastAccessTime

The LastAccessTime property records when the file was last read or executed. However, note that modern Windows versions may not update this timestamp by default for performance reasons.

The simplest method is through Windows Explorer:

  1. Right-click the file and select Properties
  2. Check the "Last Accessed" field in the General tab

For automated checking, PowerShell provides powerful options:

# Basic file access time check
Get-Item "C:\path\to\file.txt" | Select-Object LastAccessTime

# Check if accessed within last 2 days
$file = Get-Item "C:\path\to\file.txt"
$cutoff = (Get-Date).AddDays(-2)
if ($file.LastAccessTime -gt $cutoff) {
    Write-Host "File was accessed within the last 2 days"
}

Using the DIR command with specific switches:

dir /T:A C:\path\to\file.txt

To scan a directory for files accessed within a timeframe:

# PowerShell example
Get-ChildItem "C:\target\folder" -Recurse | 
Where-Object { $_.LastAccessTime -gt (Get-Date).AddDays(-2) } |
Select-Object FullName, LastAccessTime
  • Last access tracking might be disabled in your OS (check fsutil behavior query disablelastaccess)
  • NTFS updates access times at different intervals depending on configuration
  • For precise auditing, consider enabling Windows auditing policies

For programmers needing precise control:

// C# example using FileInfo class
using System;
using System.IO;

class Program {
    static void Main() {
        FileInfo file = new FileInfo(@"C:\path\to\file.txt");
        DateTime lastAccess = file.LastAccessTime;
        Console.WriteLine($"Last accessed: {lastAccess}");
    }
}

Remember that the accuracy of these methods depends on system configuration and whether last access tracking is enabled.

On Windows systems, every file maintains three primary timestamps:

  • Creation time: When the file was first created
  • Last write time: When the file was last modified
  • Last access time: When the file was last read or executed

The simplest way to check file access time is using the dir command with the /T:A parameter:

dir /T:A "C:\path\to\your\file.txt"

For a directory's contents:

dir /T:A "C:\your\directory\*.*"

PowerShell provides more flexibility for checking and filtering by access time:

Get-Item "C:\path\to\file.txt" | Select-Object FullName, LastAccessTime

To find files accessed within the last 2 days:

$cutoffDate = (Get-Date).AddDays(-2)
Get-ChildItem "C:\your\directory" | Where-Object { $_.LastAccessTime -gt $cutoffDate } | Select-Object FullName, LastAccessTime

For large directories, robocopy can be more efficient:

robocopy "C:\source" "C:\destination" *.* /L /MAXAGE:2 /TS /FP /XJ /NJH /NJS
  • On modern Windows versions, last access time updates may be disabled by default for performance reasons
  • You may need to enable last access time recording via registry: 
    Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem]
"NtfsDisableLastAccessUpdate"=dword:00000000
  • Changes require a reboot to take effect

For legacy systems where PowerShell isn't available:

Set fso = CreateObject("Scripting.FileSystemObject")
Set file = fso.GetFile("C:\path\to\file.txt")
WScript.Echo "Last accessed: " & file.DateLastAccessed

Here's a complete batch file solution:

@echo off
setlocal enabledelayedexpansion

set "target_dir=C:\your\directory"
set "days=2"

for /f "tokens=1-3 delims=/" %%a in ('echo %date%') do (
    set current_day=%%a
    set current_month=%%b
    set current_year=%%c
)

for /f "tokens=*" %%f in ('dir /a-d /b "%target_dir%\*.*"') do (
    for /f "tokens=1-3 delims=/" %%a in ('echo %%~tf') do (
        set file_month=%%a
        set file_day=%%b
        set file_year=%%c
    )
    
    call :datediff !current_year! !current_month! !current_day! !file_year! !file_month! !file_day!
    
    if !diff! leq %days% (
        echo %%f was accessed within the last %days% days
    )
)

goto :eof

:datediff
setlocal
set /a diff=(%1*365)+(%2*31)+%3 - ((%4*365)+(%5*31)+%6)
endlocal & set diff=%diff%
goto :eof