What does a DisableLastAccess value of 3 mean?
In the command prompt type:
fsutil behavior set DisableLastAccess
Hit enter and you will get this output:
Values:
0 - User Managed, Last Access Updates Enabled
1 - User Managed, Last Access Updates Disabled
2 - System Managed, Last Access Updates Enabled
3 - System Managed, Last Access Updates Disabled
The outdated doc has the following information:
Fsutil behavior
Thedisablelastaccess
parameter reduces the impact of logging updates to the LastAccessTime stamp on files and directories. Disabling the LastAccessTime feature improves the speed of file and directory access. This parameter updates the following registry key:
HKLM\SYSTEM\CurrentControlSet\Control\FileSystem\NtfsDisableLastAccessUpdate
Notes:
File-based LastAccessTime queries are accurate even if all on-disk values are not current. NTFS returns the correct value on queries because the accurate value is stored in memory.
One hour is the maximum amount of time that NTFS defers updating LastAccessTime on disk. If NTFS updates other file attributes such as LastModifyTime, and a LastAccessTime update is pending, NTFS updates LastAccessTime with the other updates without additional performance impact.
The
isablelastaccess
parameter can affect programs such as Backup and Remote Storage that rely on this feature.
As for System Managed versus User Managed, basically System Managed mode means that the system treats the corresponding enable/disable state that you selected as advisory only. Basically, each time the system boots, it will decide whether to enable or disable LastAccessTime
updating based on empirical factors, possibly overriding your suggestion.
From https://dfir.ru/2018/12/08/the-last-access-updates-are-almost-back/ (with cosmetic edits)...
In the System Managed mode, the NTFS driver can enable or disable LastAccessTime updating during the boot (in particular, when the system volume is mounted). LastAccessTime updates are enabled for NTFS volumes when the size of the system volume is 128 GiB or less. If the system volume is larger, then LastAccessTime updating is disabled.
The volume size threshold can be modified by writing an integer to:
HKLM\SYSTEM\CurrentControlSet\Control\FileSystemNtfsLastAccessUpdatePolicyVolumeSizeThreshold
The integer must specify the new threshold in GiB (not in bytes). The registry key doesn’t exist by default.
Use User Managed mode if you want to control the status of LastAccessTime updating and you don't want the system to override your choice during boot.