How to find the creation date of a local user account?

windows powershell wmi user-accounts

55,068

Solution 1

The data is in the SAM but it doesn't appear to be publicly documented by Microsoft and I'm not finding an official API to retrieve it. I can see, looking at the source code for the chntpw utility that the value is stored in the "F" registry key for each account. Quoth the source code:

#define USER_F_PATH "\\SAM\\Domains\\Account\\Users\\%08X\\F"

struct user_F {
  ...
  char t_creation[8]; /* Time of account creation */
  ...
}

The regripper forensics project has a plugin, samparse that will report the account creation date.

A forensics tool probably isn't what you want, but it looks like Microsoft isn't making it easy.

In researching this I did find it amusing that a Microsoft MVP didn't know that the account creation data is stored in the SAM. To his benefit maybe he isn't away of the chntpw utility, which is where I started my search for information about undocumented SAM structures.

Solution 2

The only way to actually know would be to have account management auditing enabled on the computer when the account was created. Then, you'd see EventID 4720 in the Event Log at the creation date. (The article says Active Directory, but the same applies to local accounts as well; I checked.)

Without that, the closest you can come is by checking the creation date on the user's registry hive, ntuser.dat file, user profile folder etc., but as mentioned in the comments, this is only accurate regarding the user's first logon, as that's when those things are created.

Unfortunately for you, this is a case of "if you didn't log it, then that information doesn't exist."

Solution 3

I was about to give you a POC PowerShell script to extract and parse out the creation time, but I realized that chntpw's logic is incorrect. The value it calls the creation time is actually the password last set time, although these values are the same upon the initial account creation. See here for an exhaustive description of the SAM.

Evan's second link, for samparse, might get it right though. Looking at its actually does work. If you look at its source here, line 99:

$c_date = $create->get_timestamp();

you'll see it calls get_timestamp from Perl's Parse::Win32Registry. I'm pretty sure that is actually the last write time of the key. Since it appears that particular key (HKLM\SAM\SAM\Domains\Account\Users\Names\<USERNAME>) only holds a pointer to the corresponding RID key, it shouldn't change after creation and the last write time will be equal to the creation time.

I you want to stick with more built-in tools, here is a series of Scripting Guy articles explaining how via PowerShell:

Use PowerShell to Access Registry Last-Modified Time Stamp

Reusing PowerShell Registry Time Stamp Code

Create a Proxy Function to Display Registry Key Time Stamps

Leverage Registry Key Time Stamps via PowerShell

55,068

MDMoore313

Professional software engineer that also enjoys IT work and the occasional widget invention. https://www.linkedin.com/in/mdmoore313/

Updated on September 18, 2022

Comments

MDMoore313 over 1 year

I would like to get the creation date of a local user account (Win 7 if it matters). I've looked at the following WMI objects (and google of course):

Win32_UserAccount Win32_NetworkLoginProfile

The objects returned from NetworkLoginProfile have the last login time, but not the creation date. Checking the Date Created property of their profile folder merely gives the date that folder was created, not necessarily the account itself.
- kralyk about 10 years
  
  To add from chat: I can see the user hive in the registry creation date, but that's only based on their first login, not account creation date.
HopelessN00b about 10 years

your ideas are intriguing to me and I wish to ---subscribe to your newsletter--- , I mean learn how to use this tool to try this myself. Would you, perchance, have any linkage I might avail myself of to that end? (Damn you markdown!)
Spence about 10 years

Just the link to the regripper project above. I haven't used it, personally, but it looks reasonably easy to deal with. It looks like it has been included in Kali Linux now (bugs.kali.org/print_bug_page.php?bug_id=246) if you'd rather just boot a live CD versus installing a Perl environment to run regripper. Apparently there was a book written around these tools. It looks pricey: amazon.com/Windows-Registry-Forensics-Advanced-Forensic/dp/… I should probably play around with these tools at some point-- I just haven't had the occasion to.
charleswj81 about 10 years

I think Evan might owe Richard Mueller an apology ;)
Spence about 10 years

I didn't give the tools a try. Are you finding that the date isn't getting populated?
charleswj81 about 10 years

Not sure if you saw my own answer below yet, but the field being referred to as "creation date" is actually "password last changed", which obviously will be the same value until the first post-account creation password change.
Spence over 9 years

-1 - That shows you when the profile directory was created. That doesn't tell you when the account was created since the profile directory could be deleted and re-created at any time after the account was created.
Kevin over 9 years

While that is possible, 99% of the time it will be accurate, and this is good enough for most
Kevin over 9 years

I was always told to keep it simple... seems both of us get about the same answer, you had to go write a program, and i just took the data already available in front of you
HopelessN00b over 9 years

@Kevin The "keep it simple" answer is mine, which is that it can't be done, unless auditing was enabled prior to the account creation, though the creation of user's registry hive, ntuser.dat file or user profile folder may provide an approximation. The complex answer is EvanAnderson's, which does actually work, to my surprise.
FooBee over 6 years

How is this related? Have you read the question?