Hello Everybody,

I am wondering why the timestamp of a system restore point (you get it by invoking [as admin] vssadmin LIST SHADOWS) differs 8-15 seconds with the timestamp shown in CCleaner?

The Tool Shadow Explorer (latest Version) shows no difference to vssadmin and has the same restore points.

Can you please check this regarding accuracy (I am forensic auditor and sometimes CCleaner is our tool of choice, but I do not want to explain differences of timestamps)

Thank you!

Regards,

Markus

I have just examined the properties of

C:\System Volume Information\tracking.log

This has three time stamps (just like most other files)

Created and Accessed are both at 10 ‎March ‎2012, ‏‎09:24:00

and this is (I guess) when Windows told the disk it was going to write a file

Modified is at 10 ‎March ‎2012, ‏‎09:24:19

Which implies that it took 19 seconds for this 20 kB file to be written and closed.

Windows XP taught me that Restore Points are useless so my new system has none to be observed.

You will probably find that your restore points will have 8-15 second differences between Created and Modified time stamps,

and CCleaner uses the "correct stamp"

whilst Tool Shadow Explorer (latest Version) and vssadmin use the "wrong stamp"

(or vice versa depending on your viewpoint)