How to find the creation date of a local user account?
Solution 1
The data is in the SAM but it doesn't appear to be publicly documented by Microsoft and I'm not finding an official API to retrieve it. I can see, looking at the source code for the chntpw
utility that the value is stored in the "F" registry key for each account. Quoth the source code:
#define USER_F_PATH "\\SAM\\Domains\\Account\\Users\\%08X\\F"
struct user_F {
...
char t_creation[8]; /* Time of account creation */
...
}
The regripper forensics project has a plugin, samparse that will report the account creation date.
A forensics tool probably isn't what you want, but it looks like Microsoft isn't making it easy.
In researching this I did find it amusing that a Microsoft MVP didn't know that the account creation data is stored in the SAM. To his benefit maybe he isn't away of the chntpw
utility, which is where I started my search for information about undocumented SAM structures.
Solution 2
The only way to actually know would be to have account management auditing enabled on the computer when the account was created. Then, you'd see EventID 4720 in the Event Log at the creation date. (The article says Active Directory, but the same applies to local accounts as well; I checked.)
Without that, the closest you can come is by checking the creation date on the user's registry hive, ntuser.dat
file, user profile folder etc., but as mentioned in the comments, this is only accurate regarding the user's first logon, as that's when those things are created.
Unfortunately for you, this is a case of "if you didn't log it, then that information doesn't exist."
Solution 3
I was about to give you a POC PowerShell script to extract and parse out the creation time, but I realized that chntpw
's logic is incorrect. The value it calls the creation time is actually the password last set time, although these values are the same upon the initial account creation. See here for an exhaustive description of the SAM.
Evan's second link, for samparse
, might get it right though. Looking at its actually does work. If you look at its source here, line 99:
$c_date = $create->get_timestamp();
you'll see it calls get_timestamp
from Perl's Parse::Win32Registry
. I'm pretty sure that is actually the last write time of the key. Since it appears that particular key (HKLM\SAM\SAM\Domains\Account\Users\Names\<USERNAME>
) only holds a pointer to the corresponding RID key, it shouldn't change after creation and the last write time will be equal to the creation time.
I you want to stick with more built-in tools, here is a series of Scripting Guy articles explaining how via PowerShell:
Use PowerShell to Access Registry Last-Modified Time Stamp
Reusing PowerShell Registry Time Stamp Code
Create a Proxy Function to Display Registry Key Time Stamps
Leverage Registry Key Time Stamps via PowerShell
Related videos on Youtube
MDMoore313
Professional software engineer that also enjoys IT work and the occasional widget invention. https://www.linkedin.com/in/mdmoore313/
Updated on September 18, 2022Comments
-
MDMoore313 over 1 year
I would like to get the creation date of a local user account (Win 7 if it matters). I've looked at the following WMI objects (and google of course):
Win32_UserAccount
Win32_NetworkLoginProfile
The objects returned from
NetworkLoginProfile
have the last login time, but not the creation date. Checking theDate Created
property of their profile folder merely gives the date that folder was created, not necessarily the account itself.-
kralyk about 10 yearsTo add from chat: I can see the user hive in the registry creation date, but that's only based on their first login, not account creation date.
-
-
HopelessN00b about 10 yearsyour ideas are intriguing to me and I wish to ---subscribe to your newsletter--- , I mean learn how to use this tool to try this myself. Would you, perchance, have any linkage I might avail myself of to that end? (Damn you markdown!)
-
Spence about 10 yearsJust the link to the regripper project above. I haven't used it, personally, but it looks reasonably easy to deal with. It looks like it has been included in Kali Linux now (bugs.kali.org/print_bug_page.php?bug_id=246) if you'd rather just boot a live CD versus installing a Perl environment to run regripper. Apparently there was a book written around these tools. It looks pricey: amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/… I should probably play around with these tools at some point-- I just haven't had the occasion to.
-
charleswj81 about 10 yearsI think Evan might owe Richard Mueller an apology ;)
-
Spence about 10 yearsI didn't give the tools a try. Are you finding that the date isn't getting populated?
-
charleswj81 about 10 yearsNot sure if you saw my own answer below yet, but the field being referred to as "creation date" is actually "password last changed", which obviously will be the same value until the first post-account creation password change.
-
Spence over 9 years-1 - That shows you when the profile directory was created. That doesn't tell you when the account was created since the profile directory could be deleted and re-created at any time after the account was created.
-
Kevin over 9 yearsWhile that is possible, 99% of the time it will be accurate, and this is good enough for most
-
Kevin over 9 yearsI was always told to keep it simple... seems both of us get about the same answer, you had to go write a program, and i just took the data already available in front of you
-
HopelessN00b over 9 years@Kevin The "keep it simple" answer is mine, which is that it can't be done, unless auditing was enabled prior to the account creation, though the creation of user's registry hive, ntuser.dat file or user profile folder may provide an approximation. The complex answer is EvanAnderson's, which does actually work, to my surprise.
-
FooBee over 6 yearsHow is this related? Have you read the question?