How does the Preferred file indicate the active MasterKey and its expiration, and how can the expiration time be modified?

The Preferred file, located in the same directory as Master Key files, stores a 16-byte GUID identifying the current MasterKey and an 8-byte FILETIME representing its expiration (default 90 days). Using C code, an attacker can parse the file to read these values and calculate the expiry date. By overwriting the FILETIME bytes with a desired future time, the MasterKey's validity can be extended indefinitely, allowing continued decryption of data without needing a new login.