NTUSER.DAT file mod...
 
Notifications
Clear all

NTUSER.DAT file modification timestamp

6 Posts
4 Users
0 Likes
2,047 Views
(@abiolcati)
Posts: 1
New Member
Topic starter
 

I am examinig a laptop with Windows XP, that was part of a domain.
I have 10 diferent user profiles in this machine.
Does the modification time of the NTUSER.DAT of one of the users tells me without "any doubt" that this user was logged at that time ?
Thanks
Alex

 
Posted : 12/04/2010 10:34 pm
(@douglasbrush)
Posts: 812
Prominent Member
 

How are you performing your examination of the NTUSER.DAT file?

 
Posted : 12/04/2010 11:11 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Doug,

How are you performing your examination of the NTUSER.DAT file?

I don't follow…the OP appears to be asking about the modification time of the file.

@abiolcati,

Does the modification time of the NTUSER.DAT of one of the users tells me without "any doubt" that this user was logged at that time ?

No, it doesn't…not by itself. It simply tells you that that's when the file was last modified.

If you're interested in when the user was logged in, a good way to validate this is to check the contents of keys that indicate user activity…UserAssist, RecentDocs, RunMRU, TypedURLs, etc.

Also, check the SAM hive for the last login time…that may help.

If the system is auditing user logins, a good methodology is to create a timeline with file system activity and Event Log records…you should see the user login (event ID 528, type 2 or 10), and a logout 'close' to the last modification time of the NTUSER.DAT file in question.

HTH.

 
Posted : 13/04/2010 12:06 am
(@douglasbrush)
Posts: 812
Prominent Member
 

I wasn't clear wither if it was about the time stamp of the file itself or the time stamping within. I was guess within and am curious how the examination is being performed.

 
Posted : 13/04/2010 12:18 am
(@athulin)
Posts: 1156
Noble Member
 

Does the modification time of the NTUSER.DAT of one of the users tells me without "any doubt" that this user was logged at that time ?

'logged'? Do you mean 'logged on'?

That probably depends on what exactly 'logged (on)' means.

For instance, if a user creates a batch job that directly or indirectly modifies parts of registry that are located in NTUSER.DAT, schedules it for 2330 and then logs out and leaves, …

 
Posted : 13/04/2010 12:32 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I wasn't clear wither if it was about the time stamp of the file itself or the time stamping within. I was guess within and am curious how the examination is being performed.

I could be completely wrong…I read "modification time of the NTUSER.DAT" and assumed that meant the modification time of the file itself.

 
Posted : 13/04/2010 1:21 am
Share: