Download SetMACE 1.0.0.6

This is an advanced filesystem timestamp manipulating tool. Some interesting features;

- Support for files and directories.
- Complete 64-bit timestamp (including the nanoseconds).
- Native 64-bit OS support (as well as 32-bit).
- Complete support for both $FILE_NAME and $STANDARD_INFORMATION timestamps, without workarounds.
- Clone timestamps from a second file.
- Dump all filesystem timestamps (up to 4+4+4)
- Damn hard to detect a manipulated timestamp..

From the readme.txt:

This is a filesystem timestamp manipulation tool, originally inspired by good old timestomp. It's usage is probably most extraordinary when used on NTFS, where both $STANDARD_INFORMATION and $FILE_NAME attributes are supported. Technically, for the $STANDARD_INFORMATION part, it is using the NtSetInformationFile function inside ntdll.dll and the FILE_BASIC_INFORMATION structure in FILE_INFORMATION_CLASS. On NTFS it will set all 4 MACE timestamps (reason for the app name), whereas on FAT it will set all 3 available (MAC). On NTFS 4 timestamps are available in the $STANDARD_INFORMATION attribute which are available for modification. The 4 timestamps in the $FILE_NAME attribute are not easily modified. However by writing directly to physical disk, the $FILE_NAME can also be tweaked. Be sure to have read the warning below! The $FILE_NAME attribute can be present twice, giving it 8 possible timestamps. Short filenames have only 1 $FILE_NAME attribute (4 timestamps) whereas files with long filenames have 2 $FILE_NAME attributes (4+4 timestamps). It's all supported.

Parameter explanation;
- Parameter 1 is input/target file. Must be full path like "%CD%\file.ext" or "c:\folder\file.ext"

- Parameter 2 is determining which timestamp to update.
"-m" = LastWriteTime
"-a" = LastAccessTime
"-c" = CreationTime
"-e" = ChangeTime (in $MFT)
"-z" = all 4
"-g" = Copy timestamp from a second file ; only supported with $STANDARD_INFORMATION
"-d" = Dump existing timestamps (in UTC and adjusted for timezone configuration)

- Parameter 3 is the wanted new timestamp. Format must be strictly followed like; "1954:04:01:22:39:44:666:1234". That is YYYY:MM:DD:HH:MM:SS:MSMSMS:NSNSNSNS. The smallest possible value to set is; "1601:01:01:00:00:00:000:0001". Timestamps are written as UTC and thus will show up in explorer as interpreted by your timezone location. If parameter 2 is "-g" then this one should be a valid path+filename. Note that nanoseconds are supported.

- Parameter 4 determines if $STANDARD_INFORMATION or $FILE_NAME attribute or both should be modified.
"-si" will only update timestamps in $STANDARD_INFORMATION (4 timestamps), or just LastWriteTime, LastAccessTime and CreationTime (3 timestamps) for non-NTFS.
"-fn" will only update timestamps in $FILE_NAME (4 timestamps for short names and 8 timestamps for long names), and only for NTFS.
"-x" will update timestamps in both $FILE_NAME and $STANDARD_INFORMATION (8 or 12 timestamps depending on filename length).

Note:
Directories are also supported just like regular files. Beware that for long filenames it is not possible to set different values in the two sets. And thinking about it, it makes no sense to support such either. On nt6.x (Vista - Windows 8), it is not easily possible to modify timestamps on the systemdrive when the host OS is running (unless you implement a kernel mode driver that can give you a "SL_FORCE_DIRECT_WRITE". However booting to WinPE (CD, USB, PXE etc) will let this tool write directly to the volume that the local system (systemdrive) is on. This restriction is only applicable to this tool on nt6.x and the systemdrive when host is running. Also beware that on nt6.x target volume will be automatically locked/dismounted prior physical disk writing, so be sure no heavy filesystem activity is going on on that volume when using this tool.

Tip:
Get MFTRCRD from http://reboot.pro/fi...ols-collection/ and quickly dump a substantial amount of information about the file (all timestamps ++++).

Warning:
Bypassing the filesystem and writing to physical disk is by nature a risky operation. Having said that, I have tested this new version on both XP sp3 x86 and Windows 7 x64, on which it works fine. This new method of timestamp manipulation is a whole lot harder to detect. In fact, I can't think of any method, except the presence of this tool and some hardcore digging inside the $LogFile. However, having that said, records in the $LogFile can modified/overwritten as easy as this tool can if access. I will still call this new version kind of experimental. I take no responsibility for any loss of data by the usage of this tool! Use only for educational purposes in non-productional environments!

Examples;

setting all 4 timestamps in both $FILE_NAME and $STANDARD_INFORMATION attributes for a file. If target FS is FAT* then only 3 timestamps are changed.
setmace.exe "%CD%\file.txt" -z "2000:01:01:00:00:00:789:1234" -x

setting all 8 timestamps in the $FILE_NAME attribute for a file with long filename. If target FS is FAT* then nothing is done.
setmace.exe "%CD%\alongfilename.txt" -z "2000:01:01:00:00:00:789:1234" -fn

setting 2 timestamps ($MFT creation time * 2) in the $FILE_NAME attribute for a file with long filename. If target FS is FAT* then nothing is done.
setmace.exe "%CD%\alongfilename.txt" -e "2000:01:01:00:00:00:789:1234" -fn

setting all 4 timestamps in $STANDARD_INFORMATION attribute for a directory. If target FS is FAT* then only 3 timestamps are changed.
setmace.exe "D:\tmp" -z "2000:01:01:00:00:00:789:1234" -si

Setting the LastWriteTime in the $STANDARD_INFORMATION attribute.
setmace.exe "%CD%\file.txt" -m "2000:01:01:00:00:00:789:1234" -si

Dumping all timestamps for a file.
setmace.exe "%CD%\file.txt" -d

Copy $STANDARD_INFORMATION timestamps from secondfile.txt and apply them to file.txt.
setmace.exe "%CD%\file.txt" -g "%CD%\secondfile.txt"