No announcement yet.

Files modified on boot

  • Filter
  • Time
  • Show
Clear All
new posts

  • Files modified on boot

    Hi Guys, Hope i have the right forum.

    I need to know which files are modified on boot and if possible which are on shut down.

    Basically i have a PC and i need to know when the user last accessed his PC. the unit has been vandalised so it wont turn on but i have hooked the hard drive up to my pc.

    also is there a file that is accessed or modified

    Is there some software that can tell me this or is it quite simple?

    I guessed at pagefile.sys and maybe NTUSER.DAT


    Last edited by mordzy; 21st August 2008, 16:29.

  • #2
    Re: Files modified on boot

    no one have any ideas


    • #3
      Re: Files modified on boot

      Since you have the drive mounted as a slave on another machine, open the event viewer files on that drive:


      Run event Viewer on the "master" PC (eventvwr.exe), right-click on "Event Viewer (Local)" and "Open Log file". Browse to the slave drive and directory mentioned above and open AppEvent.evt, SecEvent.evt, and SysEvent.evt and have a look around.

      It should give you some indication of what happened last on that PC.

      The timestamp on pagefile.sys "may" be when the machine last booted up or it could also indicate the shutdown time if a graceful shutdown. I don't have time to test the latter. "eventlog" as the source in SysEvent.evt will tell you the same thing.

      With a startup date you could do a search in windows explorer for all files modified on or after that date (can't specify time).

      If the user logged out normally, ntuser.dat will reflect the logout time. If they crashed the machine, it may indicate login time. Compare w/ ntuser.dat.log. It is usually up-to-date during a session. So if the 2 files have different timestamps, ntuser.dat may indicate login time.

      Best of luck.


      ** Remember to give credit where credit is due and leave reputation points sigpic where appropriate **

      2006-2099 R Valstar. This post is offered "as is" for discussion purposes only with no express or implied warranty of any kind including, but not limited to, correctness or fitness for use. Nothing herein shall be construed as advice. Attempting any activity based on information in this post is done at your own risk.