I would like to get the creation date of a local user account (Win 7 if it matters). I've looked at the following WMI objects (and google of course):
Win32_UserAccount
Win32_NetworkLoginProfile
The objects returned from NetworkLoginProfile
have the last login time, but not the creation date. Checking the Date Created
property of their profile folder merely gives the date that folder was created, not necessarily the account itself.
The data is in the SAM but it doesn't appear to be publicly documented by Microsoft and I'm not finding an official API to retrieve it. I can see, looking at the source code for the
chntpw
utility that the value is stored in the "F" registry key for each account. Quoth the source code:The regripper forensics project has a plugin, samparse that will report the account creation date.
A forensics tool probably isn't what you want, but it looks like Microsoft isn't making it easy.
In researching this I did find it amusing that a Microsoft MVP didn't know that the account creation data is stored in the SAM. To his benefit maybe he isn't away of the
chntpw
utility, which is where I started my search for information about undocumented SAM structures.The only way to actually know would be to have account management auditing enabled on the computer when the account was created. Then, you'd see EventID 4720 in the Event Log at the creation date. (The article says Active Directory, but the same applies to local accounts as well; I checked.)
Without that, the closest you can come is by checking the creation date on the user's registry hive,
ntuser.dat
file, user profile folder etc., but as mentioned in the comments, this is only accurate regarding the user's first logon, as that's when those things are created.Unfortunately for you, this is a case of "if you didn't log it, then that information doesn't exist."
I was about to give you a POC PowerShell script to extract and parse out the creation time, but I realized that
chntpw
's logic is incorrect. The value it calls the creation time is actually the password last set time, although these values are the same upon the initial account creation. See here for an exhaustive description of the SAM.Evan's second link, for
samparse
, might get it right though. Looking at its actually does work. If you look at its source here, line 99:you'll see it calls
get_timestamp
from Perl'sParse::Win32Registry
. I'm pretty sure that is actually the last write time of the key. Since it appears that particular key (HKLM\SAM\SAM\Domains\Account\Users\Names\<USERNAME>
) only holds a pointer to the corresponding RID key, it shouldn't change after creation and the last write time will be equal to the creation time.I you want to stick with more built-in tools, here is a series of Scripting Guy articles explaining how via PowerShell:
Use PowerShell to Access Registry Last-Modified Time Stamp
Reusing PowerShell Registry Time Stamp Code
Create a Proxy Function to Display Registry Key Time Stamps
Leverage Registry Key Time Stamps via PowerShell
This command in powershell should do the trick:
Navigate via My Computer to
C:\Users and you will see all the user accounts listed on the local machine. You can right click the appropriate user account and go to properties and it will show you a date created, this should be the same as the creation of the user account
Just my 2 cents