URGENT: Modified date shows time when PC was off

S

Sasiki

2[H]4U
Joined
Apr 10, 2005
Messages
2,818
The CEO of the company called me in his office today saying that ALL of his files show a modified date of January 23rd at 6am. I checked event viewer and his computer wasn't even on at this time. The weird thing is this happened with his desktop last year when it was powered off as well. I have no answer for him as well as no explanation. He is irritated either way though.

Any ideas as to what would cause the file modification date to change although the computer WAS NOT powered on?

Edit: Lenovo Thinkpad notebook, Windows XP SP2 and NTFS.
 
These are local files? Shared at all? Any actual modifications, or just the stamp in the properties?
 
Eulogy said:
These are local files? Shared at all? Any actual modifications, or just the stamp in the properties?
Click to expand...

Local files - not shared at all. No modifications, just the time stamp.. and the computer was powered off at the time it shows. Weird, huh?
 
Sasiki said:
Any ideas as to what would cause the file modification date to change although the computer WAS NOT powered on?
Click to expand...

What's the difference between the timestamp on the files and when the computer was running? One hour?
 
pigster said:
What's the difference between the timestamp on the files and when the computer was running? One hour?
Click to expand...

All day. He was out of the office on the 23rd. It shows it being turned off at end of business day the 22nd and turned back on the 24th, maybe the 25th.. can't remember.
 
Fast/slow internal clock? Flaky time server settings?

Does the event viewer have any other out-of-order time stamps in it?
 
zeplar said:
Fast/slow internal clock? Flaky time server settings?

Does the event viewer have any other out-of-order time stamps in it?
Click to expand...

The other timestamps are all in order with when he turned his computer off one day and turned it on a couple days later. I'm going to give up on it. A search on Google yielded no results and neither did a call to the computer shop a cousin works at.

Thanks anyway!
 
Paranoid CEO's. Gotta love them!

Honestly, that is weird. At first I was just thinking that MAYBE there was something happening before he shut off his machine, an it was set to do something at 6am the next day, ONLY to not be turned on. If the files weren't touched until the 25th, its possible that whatever had to touch the files modified it under the premise that it was to do it on the 24th. Rather confusing, I know, but its the best Idea I could come up with. I kinda confused myself, but at the same time, I understand what I'm getting at.
 
Version_3 said:
Paranoid CEO's. Gotta love them!

Honestly, that is weird. At first I was just thinking that MAYBE there was something happening before he shut off his machine, an it was set to do something at 6am the next day, ONLY to not be turned on. If the files weren't touched until the 25th, its possible that whatever had to touch the files modified it under the premise that it was to do it on the 24th. Rather confusing, I know, but its the best Idea I could come up with. I kinda confused myself, but at the same time, I understand what I'm getting at.
Click to expand...

I'm glad you understand haha. There are no programs on his laptop except Office 07 and NOD32 though. No scheduled tasks or anything. I've given up on it. I have found no one else on the net with the same issue or any articles describing the problem / solution.

Thanks for the ideas!
 
The only other thing I can think of is this:
PCs can be powered on over the network, or even someone sat down at his computer and went to use it, or did in fact use it. They may or may not have used the PC - that's for you to somehow figure out later :p. However, in any case, event viewers can be altered as well. Even though it's a paranoid view on things, it still may be worth while to investigate to a full extent. Especailly if it's your CEO.
 
Maybe we won't find the reason for it, but maybe you can offer solutions to prevent it again?

How about locking down the box so only he, and support can log onto it. perhaps offer to move his mydocs to a network share. Offer enhanced security so he feels better about it.
 
Paranoid, eh? Tell him this --

Someone sat down at his desk and booted up an instance of Windows PE. Because it was booted from the CDRom, the system log didn't show the machine as being powered on. Once the machine was booted up, they had free reign of his filesystem and not only were they able to take files that they wanted, they were able to modify some of his files to better suit their needs.


Then tell him to lock his office door when he leaves, if he isn't going to take his laptop home. ;)
 
You must log in or register to reply here.
Back
Top