Incorrect information gets recorded in [Win32_UserProfile].LastUseTime Obj

Welcome Forums General PowerShell Q&A Incorrect information gets recorded in [Win32_UserProfile].LastUseTime Obj

Viewing 4 reply threads
  • Author
    Posts
    • #221904
      Participant
      Topics: 4
      Replies: 11
      Points: 58
      Rank: Member

      Hey All,

      Do we know why the [Win32_UserProfile].LastUseTime object gets updated to latest date for all profile if anyone login to the machine.

      Is there a way to prevent it from happening or is there a way to identify the older profiles which are unused.? It is causing my script to fail.

       

      Peace & Cheers,
      Samson V.

    • #221973
      Participant
      Topics: 3
      Replies: 342
      Points: 1,130
      Helping Hand
      Rank: Community Hero

      Antivirus/Antimalware can cause the stamps to get updated. See this hotfix details.

      https://support.microsoft.com/en-us/help/983544/the-modified-time-file-attribute-of-a-registry-hive-file-is-updated-wh

      I am seeing many unexpected profiles showing lastusetime that was the time I ran the command. But it was not all of them, many have just the one user with recent lastusetime. Not sure this will be reliable, even the GPO that’s available can be ineffective as per that hotfix details.

    • #222936
      Participant
      Topics: 4
      Replies: 11
      Points: 58
      Rank: Member

      Well, in my case, every any remote login updates the LastUseTime for all the profiles available in it.

      Is there a way we can get the right information, or the “Modified” information you see under Computer Properties > Advanced System Settings > Advanced > Settings (under User Profiles).

      It differs from the LastUseTime if I check. If I can get that information from somewhere I can filter my results with that output and exclude the users which had recently logged in and execute my ProfileDeletion script. Hope I make sense.

       

      Peace & Cheers,
      Samson V.

    • #222957
      Participant
      Topics: 12
      Replies: 1623
      Points: 2,565
      Helping Hand
      Rank: Community Hero

      Could try getting information from files in the profile to see if they can be used:

      Get-CimInstance -ClassName Win32_UserProfile -Property * -Filter "Special ='False'" | 
      Select LocalPath, 
             LastUseTime,
             @{Name='Folder Date';Expression={Get-Item -Path $_.LocalPath | Select -ExpandProperty LastAccessTime}},
             @{Name='NTUser Date';Expression={Get-Item -Path ($_.LocalPath + "\NTUSER.DAT") -Force | Select -ExpandProperty LastAccessTime}}
      
    • #223473
      Participant
      Topics: 3
      Replies: 342
      Points: 1,130
      Helping Hand
      Rank: Community Hero

      Hello,

      The value in LastUseTime should match exactly to the number listed in the UI you mention. If it’s not, then something is mounting up the users NTUSER.dat files and at least querying it. From my testing just loading and unloading the registry hive did not affect the lastusetime timestamp. But simply expanding a folder in the UI or a query in the shell caused the time stamp to be updated. If the UI is still showing the correct date, then perhaps it just isn’t updated until the user logs in, or it could be pulling the data from somewhere else. I’d guess it’s the former but you’ll have to ask a Windows specific expert. I was unable to find anything remotely close to this attribute in all my searching of system and user registry hives. My guess is that some other program (likely antivirus/antimalware) is loading and scanning the hives, causing the timestamp to get updated. You can confirm this info is pulled directly from the users ntuser.dat by moving the file and rerunning the command. I wrote this little bit just to nicely see which user is which since it only shows the SID.

      
      Get-CimInstance -ClassName win32_userprofile |
      
      select @{N='Name';e={get-aduser -filter "sid -like '$($_.sid)'" | select -ExpandProperty name}},lastusetime
      
      

      Here are the commands I used to mount in case you’re want to play around. Be sure to work on copies!

      
      reg load hku\test c:\temp\ntuser.dat
      
      reg query hku\test\software
      
      reg unload hku\test
      
      

      If all else fails just create a small login script that logs the users logins. Good luck!

Viewing 4 reply threads
  • You must be logged in to reply to this topic.