Tell me search plugin of all NTFS timestamps

[ant]

Hello, NTFS timestamps of files and directories is an interesting topic.
Many PC users do not know that there are four timestamps of files and folders in the NTFS file system: for the filebody ($standard_information) -

CreationTime______file creation time __________________ Created
LastWriteTime_____maindata last modification time _______ Modified
LastAccessTime____last access time __________________ Accessed
ChangeTime_______any metadata last modification time

and the same set separately for the filename ($file_name). In addition, if DOS-compatible short names are assigned to files, then each short name also has such a set of four time stamps.
Total Commander displays and allows to search for three first timestamps, which are displayed in the context menu of files in Windows, for the body of the file.
Regarding timestamps of file names: there is no API function in Windows to change them, but displaying those timestamps is trivial.

Experienced users, do you know if plug-ins have been developed for searching the timestamps of filenames?

[Horst.Epp]

For what reason should one search for ChangeTime (any metadata last modification time) `?
If any meta data is changed the LastWriteTime will also change.

[ant]

Vice versa! Less with that, what about searching and displaying the filename timestamps? Such plugin is absent, as far as I know.

[Dalai]

If any meta data is changed the LastWriteTime will also change.

No, it won't, because it's not about the file's metadata but the metadata stored in the MFT, a file-system metadata if you will. You can test it yourself: Change the permissions on some file, and you'll see that the file's timestamps will stay the same, yet the metadata timestamps will not (although I'm not sure how to display them). The same probably applies to changes of a file's ADS (alternate data stream).

However, I'm not sure I understand the request, what exactly should be searched for. Ant, can you point to the data structure the information you seek is in?

Regards
Dalai

[ant]

First of all, take a nice program: http://hex.pp.ua/ntfs-stream-explorer-eng.php
Drag any file / shortcut / folder onto it, in the second tab you can see the timestamps of filename, in the third - timestamps of filebody.
Those timestamps can be *completely* different. There is a logical property in NTFS: creation date of filename never is newer that the creation date of filebody; and other properties.
About data structure: https://flatcap.org/linux-ntfs/ntfs/attributes/file_name.html

[Dalai]

It looks like the NTFS Streams Explorer you mentioned uses functions of the NT API. It ships with a file called xattrlib.dll which imports functions from ntdll.dll, and exports functions like GetExtendedAttributesList and ReadExtendedAttribute, which could refer to information you seek (not sure).

However, the programs fails to read the "Change time" when it runs as a normal user, so I guess functions of the NT API might require administrator privileges. This is normally no problem because the NT API is mainly used by drivers which have these privileges.

If it would have been a simple thing, I would have considered writing a plugin, but it doesn't look simple (to me at least). Maybe you can contact the program's author and ask him if he is willing to write a TC plugin or a command line program outputting the same information.

PS: NirSoft's AlternateStreamView can show yet another timestamp called "Entry modified" without requiring administrator privileges.

Regards
Dalai

[ant]

Dalai, thank you for analysis

Though "Entry modified" in NirSoft's AlternateStreamView is not another timestamp, it is a "ChangeTime (any metadata last modification time)".