Is it possible to determine when a NTFS partition was created?

We have a client where it would be very useful to determine WHEN a drive was a initialized or an NTFS partition created. Is there a timestamp value somewhere? If anyone could shed any advice it would be greatly appreciated.

Thanks!

-slashp

Solution 1:

Yes. You can even do it over a LAN.

The CIFS transaction is TRANS2_QFSINFO and the information level is SMB_QUERY_FS_VOLUME_INFO. The native Windows NT API function for querying a volume's creation time is ZwQueryVolumeInformationFile(), which yields a FILE_FS_VOLUME_INFORMATION data structure (almost identical to the CIFS one, note) when asked for the FileFsVolumeInformation class of information. Testing that this query works is part of the IFS tester that Microsoft supplies to driver developers.

Interestingly, no-one appears to have written a handy utility that just queries a volume and prints its creation timestamp in human readable form.¹ The nearest that you are going to get as far as I can tell is to crank up SysInternals' procmon tool and look for the volume information queries streaming by. Perhaps someone reading this will be inspired to create an enhanced vol command.

Yes, the volume creation timestamp is properly initialized, and isn't just set to zero or some other constant. I haven't checked, but my educated guess for the storage location of this information is the $STANDARD_INFORMATION attribute of the $Volume MFT entry. I can think of three other possible places, but that's the most logical one.

¹grawity's utility just needs a little more polish, including simple uses of FileTimeToSystemTime() and GetTimeFormat(), to make it usable for end-users that cannot decode Win32 timestamps in their heads. ☺

Solution 2:

There is no "volume creation date" that I know of built-in to NTFS. However, you should be able to approximate the creation date quite closely by looking at the creation date of the System Volume Information directory in the root of the volume.