Is there any reason to keep the (new) default of LastAccessTime being updated?

Question

AFAIK the new default for Windows 10 and 11 is to update file LastAccessTimes.

This seems to be a bad idea as it thrashes SSDs and serves no useful purpose.

But perhaps I'm wrong. So, is there any good reason to keep it the way it is (i.e. updating)?

Answer 1

My answer : No, there is no good reason to keep the Last Access Time enabled.

Historical note

The Last Access Time has undergone many reverses. There were times that it was enabled by default, and others that it was not.

There used to be a distinction between the states of "User managed" and "System managed". In the later state, it used to be enabled only if the system disk was less than 128 GB. However, since Windows 10 20H1 it's always enabled by default, hence the poster's question.

How is it supposed to work

To reduce disk thrashing, the Last Access Time is kept in memory for one hour before being flushed out to disk, in order to mimimize disk I/O.

How does it really work

This was investigated by Msuhanov in the article The (in)consistency of last access timestamps.

His results were not very encouraging :

• Disk write of the Last Access Time may happen after much longer time than one hour. In one case, it was only written out after 12 hours when Msuhanov gave up and turned off his computer. During this period, a program might get either the old or new time, depending on how/where it's getting it.
• Msuhanov also found out that there were two Last Access Times: One in a file record and another one in an index record ($I30). So, depending on the access API function, or the modify API function, one would be dealing with one or the other, with no guarantee of consistency.

What is it good for

Truly speaking, I can't think of anything.

Keeping track of which files are being accessed is the only reason, but there are many reasons for such accesses, for example antivirus scans, Windows Search Index being updated and more.

The Last Access Time is not very useful in this regard, as no information is kept of which program did the access. All it says is that some program looked at the file, which doesn't help much.

My conclusion

The Last Access Time is badly implemented and too unreliable to be really useful, so you may go ahead and disable it.

I don't think that if enabled it will thrash the SSD, as SSDs are today as robust (or more) as hard disks. The one-hour delay will ensure that it will be written out at most once in any one hour, so this will avoid thrashing. Disabling it might not be worth the trouble.

Answer 2

Interesting question. The only good reason I could find, is the obvious one, you get recorded last access time for files & folders by chance that is helpful to you or your organization. Microsoft even recommends turning off in a couple of their server guides & have apparently flip-flopped on it for all PC's in the past (Vista apparently had it turned off; apparently changed when file was closed instead). So I'm guessing its TOTALLY safe to turn off if you see no value in having that additional info, clearly Microsoft can't decide either lol.

• https://learn.microsoft.com/en-us/windows-server/administration/performance-tuning/role/web-server/#ntfs-file-system-settings
• https://learn.microsoft.com/en-us/windows-server/administration/performance-tuning/role/file-server/nfs-file-server#tuning-parameters-for-nfs-file-servers
• https://learn.microsoft.com/en-us/windows-server/administration/windows-commands/fsutil-behavior
• https://dfir.ru/2018/12/08/the-last-access-updates-are-almost-back/
• https://forensics.wiki/new_technology_file_system_%28ntfs%29/
• Here is what I searched in google to gain some reputable info on it: NtfsDisableLastAccessUpdate site:microsoft.com -answers -social
• See section with date 2022/05/18 on this page on microsoft.com, I took a snapshot as well: