How to find the creation date of a local user account?

windows user-accounts powershell wmi

I would like to get the creation date of a local user account (Win 7 if it matters). I've looked at the following WMI objects (and google of course):

Win32_UserAccount Win32_NetworkLoginProfile

The objects returned from NetworkLoginProfile have the last login time, but not the creation date. Checking the Date Created property of their profile folder merely gives the date that folder was created, not necessarily the account itself.


The data is in the SAM but it doesn't appear to be publicly documented by Microsoft and I'm not finding an official API to retrieve it. I can see, looking at the source code for the chntpw utility that the value is stored in the "F" registry key for each account. Quoth the source code:

#define USER_F_PATH "\\SAM\\Domains\\Account\\Users\\%08X\\F"

struct user_F {
  ...
  char t_creation[8]; /* Time of account creation */
  ...
}

The regripper forensics project has a plugin, samparse that will report the account creation date.

A forensics tool probably isn't what you want, but it looks like Microsoft isn't making it easy.

In researching this I did find it amusing that a Microsoft MVP didn't know that the account creation data is stored in the SAM. To his benefit maybe he isn't away of the chntpw utility, which is where I started my search for information about undocumented SAM structures.


The only way to actually know would be to have account management auditing enabled on the computer when the account was created. Then, you'd see EventID 4720 in the Event Log at the creation date. (The article says Active Directory, but the same applies to local accounts as well; I checked.)

Without that, the closest you can come is by checking the creation date on the user's registry hive, ntuser.dat file, user profile folder etc., but as mentioned in the comments, this is only accurate regarding the user's first logon, as that's when those things are created.

Unfortunately for you, this is a case of "if you didn't log it, then that information doesn't exist."


I was about to give you a POC PowerShell script to extract and parse out the creation time, but I realized that chntpw's logic is incorrect. The value it calls the creation time is actually the password last set time, although these values are the same upon the initial account creation. See here for an exhaustive description of the SAM.

Evan's second link, for samparse, might get it right though. Looking at its actually does work. If you look at its source here, line 99:

$c_date = $create->get_timestamp();

you'll see it calls get_timestamp from Perl's Parse::Win32Registry. I'm pretty sure that is actually the last write time of the key. Since it appears that particular key (HKLM\SAM\SAM\Domains\Account\Users\Names\<USERNAME>) only holds a pointer to the corresponding RID key, it shouldn't change after creation and the last write time will be equal to the creation time.

I you want to stick with more built-in tools, here is a series of Scripting Guy articles explaining how via PowerShell:

Use PowerShell to Access Registry Last-Modified Time Stamp

Reusing PowerShell Registry Time Stamp Code

Create a Proxy Function to Display Registry Key Time Stamps

Leverage Registry Key Time Stamps via PowerShell

Related

Does IIS 8.5 support wildcard host header binding?
FTP 550: Permission Denied
Powershell Remotely Delete PKI Certificates
Small issue with the Domain Name System (DNS) Server Cmdlets
Is it a best practice to install programs to Program Files?
Implications of using VMware's templating and cloning for provisioning Linux servers instead of PXE
Chef-client not updating a cookbook from the server
PowerShell: Get-ADUser Properties with åäö
How to prevent Windows Server from adding external IP addresses for the domain controller into the DNS?
Do Windows/Automatic updates happen when a PC is sleeping/standby?
How to get SCCM to recognize return codes from Powershell script completion?
Bind DNS Recursion Slow