Since it appears that particular key ( HKLM\SAM\SAM\Domains\Account\Users\Names\) only holds a pointer to the corresponding RID key, it shouldn't change after creation and the last write time will be equal to the creation time. I'm pretty sure that is actually the last write time of the key. Another way to enter the Local Group Policy Editor in Windows 10, 8, 8.1 is by using the Run app: Click the Windows logo key and the R key simultaneously. Select Command Prompt (admin) from the quick access menu. In the left pane of Microsoft Management Console, select Local Users and Groups. Windows 10, 8, 8.1 users can use Command Prompt to access the Local Group Policy Editor: Press the Windows logo key + X keyboard shortcut.
If you're prompted for an administrator password or confirmation, type the password or provide confirmation. You'll see it calls get_timestamp from Perl's Parse::Win32Registry. Open Microsoft Management Console by selecting Start, typing mmc into the search box, and then pressing Enter. If you look at its source here, line 99: $c_date = $create->get_timestamp() See here for an exhaustive description of the SAM.Įvan's second link, for samparse, might get it right though. The value it calls the creation time is actually the password last set time, although these values are the same upon the initial account creation. I was about to give you a POC PowerShell script to extract and parse out the creation time, but I realized that chntpw's logic is incorrect.