Hi !

What it does ?

Here's a little PowerShell script to retrieve from the registry the username, Logon Date, Password Last Set and Creation date of the local users on a windows computer.

It uses information contains in the registry (from HKLM:\SAM\SAM\Domains\Account\Users\Names).

Extract of the code

 

PowerShell
Edit|Remove
function Get-LastLogonDate([byte[]]$F) { 
    $i=0 
    $lastLogon = ""     
    $hexLastLogon = @()     
    while($i -lt $F.Length) { 
        if($i -eq 8 -or ($i -gt 7 -and $i -lt 16)) { 
            $lastLogon = $lastLogon + $F[$i] 
            $hexLastLogon +'{0:X2}' -$F[$i]         
        } 
        $i++ 
    } 
 
    $i=$hexLastLogon.Length - 1 
    $lastLogon = "" 
    while($i -ge 0) { 
        $lastLogon = $lastLogon + $hexLastLogon[$i] 
        $i-- 
    } 
    $lastLogon = "0x$lastLogon" 
    return $lastLogon 
}
 
How to run

Execute it under System rights (to avoid reset the lastwritetime of the key under SAM)
1) psexec -i -s Powershell.exe
2) run it : .\Get-LocalUsersInfo.ps1

 

Result

 

HTML
Edit|Remove
UserName::LogonDate::PasswordLastSet::LastWriteTime 
 
Administrator::7/26/2012 3:22:17 AM::7/26/2012 3:27:03 AM::8/1/2015 10:10:34 AM 
 
Guest::12/31/1600 7:00:00 PM::12/31/1600 7:00:00 PM::8/1/2015 10:10:34 AM 
 
Test1::12/31/1600 7:00:00 PM::10/20/2013 3:53:30 AM::8/2/2015 4:36:30 PM 
 
Test2::8/19/2013 1:30:05 AM::7/24/2013 3:47:52 PM::8/1/2015 10:10:34 AM 
 
Test3::6/11/2015 7:16:26 PM::3/18/2015 5:12:51 PM::8/1/2015 10:10:34 AM 
 
TestRegistry::8/1/2015 3:42:15 PM::8/1/2015 4:53:47 PM::8/1/2015 12:39:58 PM  
 
 
 

 

Enjoy !