How to find the creation date of a local user account?

I would like to get the creation date of a local user account (Win 7 if it matters). I've looked at the following WMI objects (and google of course):

Win32_UserAccount Win32_NetworkLoginProfile

The objects returned from NetworkLoginProfile have the last login time, but not the creation date. Checking the Date Created property of their profile folder merely gives the date that folder was created, not necessarily the account itself.


The data is in the SAM but it doesn't appear to be publicly documented by Microsoft and I'm not finding an official API to retrieve it. I can see, looking at the source code for the chntpw utility that the value is stored in the "F" registry key for each account. Quoth the source code:

#define USER_F_PATH "\\SAM\\Domains\\Account\\Users\\%08X\\F"

struct user_F {
  ...
  char t_creation[8]; /* Time of account creation */
  ...
}

The regripper forensics project has a plugin, samparse that will report the account creation date.

A forensics tool probably isn't what you want, but it looks like Microsoft isn't making it easy.


In researching this I did find it amusing that a Microsoft MVP didn't know that the account creation data is stored in the SAM. To his benefit maybe he isn't away of the chntpw utility, which is where I started my search for information about undocumented SAM structures.


The only way to actually know would be to have account management auditing enabled on the computer when the account was created. Then, you'd see EventID 4720 in the Event Log at the creation date. (The article says Active Directory, but the same applies to local accounts as well; I checked.)

Without that, the closest you can come is by checking the creation date on the user's registry hive, ntuser.dat file, user profile folder etc., but as mentioned in the comments, this is only accurate regarding the user's first logon, as that's when those things are created.

Unfortunately for you, this is a case of "if you didn't log it, then that information doesn't exist."


I was about to give you a POC PowerShell script to extract and parse out the creation time, but I realized that chntpw's logic is incorrect. The value it calls the creation time is actually the password last set time, although these values are the same upon the initial account creation. See here for an exhaustive description of the SAM.

Evan's second link, for samparse, might get it right though. Looking at its actually does work. If you look at its source here, line 99:

$c_date = $create->get_timestamp();

you'll see it calls get_timestamp from Perl's Parse::Win32Registry. I'm pretty sure that is actually the last write time of the key. Since it appears that particular key (HKLM\SAM\SAM\Domains\Account\Users\Names\<USERNAME>) only holds a pointer to the corresponding RID key, it shouldn't change after creation and the last write time will be equal to the creation time.

I you want to stick with more built-in tools, here is a series of Scripting Guy articles explaining how via PowerShell:

Use PowerShell to Access Registry Last-Modified Time Stamp

Reusing PowerShell Registry Time Stamp Code

Create a Proxy Function to Display Registry Key Time Stamps

Leverage Registry Key Time Stamps via PowerShell