1

Currently, I am experiencing a problem that some HDDs and SSDs formatted with NTFS do not have the file tunneling system working, so when I save files I have worked on to those disks, the creation date keeps changing to the saved date.

What's somewhat absurd is that when the USB is formatted as NTFS, the creation date of the file keeps changing to the date it was saved, as described above. However, if the USB is formatted as FAT32 or exFAT instead of NTFS, the creation date is preserved as it is when saving the file.

I am currently using Windows 10 and I am desperate for a solution to this problem.

Improve this question
5
  • 1
    Can you confirm… Your original & replacement files are in the same directory? Replacement time is under 15 seconds?
    – Tetsujin
    Commented Aug 15, 2023 at 7:53
  • 1
    mcsi-library.readthedocs.io/articles/2022/05/… has the registry entires to adjust this
    – Tetsujin
    Commented Aug 15, 2023 at 8:02
  • 1
    yes. The original and replacement files were in the same location and were saved within 15 seconds. However, the creation date is constantly changing.
    – upyen
    Commented Aug 15, 2023 at 9:26
  • 1
    I tried modifying the registry as per the referenced UPL address, but the problem still hasn't been resolved.
    – upyen
    Commented Aug 15, 2023 at 9:27
  • You do not need to put [solved] in the title. That's what we have the tick on the answer for.
    – Mokubai
    Commented Aug 15, 2023 at 11:51

2 Answers 2

Reset to default
1

The article Windows File System Tunneling in Digital Forensics explains the concepts and lists the two registry items that are important for Tunneling. Both are under the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem as follows:

  • MaximumTunnelEntries : Number of values can exist in the cache simultaneously, 0 disables tunneling.
  • MaximumTunnelEntryAgeInSeconds : The lifetime of entries in the cache, default value is 15 seconds, maximum is 71 seconds.

First action : You should use regedit to verify these registry items on your computer. The number of values might be too low or the lifetime is too short for a long file-operation.

In the article I'll be back in 15 seconds. Or, maybe not. File system tunneling, the author has done very many tests of Tunneling, and has found this:

Of the cases mentioned above, the only exception where the tunnel effect will not be generated is in the case of combining a long file name with its short name equivalent.

This means that referring to a file by both its long name and by its short name (8.3) does not work. If the editing program you're using does this inconsistent handling, then Tunneling will not work.

The author has also found this :

Disabling the creation of short file names, (8.3), also disables the tunnelling of the file system, since tunnelling is based on such names.

Short file-names are discussed in the Microsoft article fsutil 8dot3name.

Second action : Run an elevated Command Prompt (CMD) and check if short file names are enabled on the volume X: with the command:

fsutil 8dot3name query X:
Improve this answer
0
-1

As others have said in their answers, file system tunneling will be disabled if the 8.3 filename is disabled.
There is no official information, but Neal Christiansen (a Microsoft developer) announced it.
See this slide #60.

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .