How does Windows default behavior affect the AccessTime attribute and which registry key controls it?

In Windows 7 and later, AccessTime updates are disabled by default to reduce disk I/O, so reading a file does not change AccessTime, keeping it equal to CreateTime. The registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\FileSystem, value NtfsDisableLastAccessUpdate (1 = disabled).

---
**Related reading:**
- Penetration Techniques - Time Attributes of NTFS Files in Windows — original article
- Penetration Basics - Implementation of Exchange One-Liner Backdoor
- Penetration Basics - Methods to Continuously Obtain Exchange User Inbox Emails
- Steganography Techniques - Hiding Payloads Using JPEG File Format