You may have luck running regslack over any of the SAM files you have available on the system
I'm trying to find out the date when one of my old user accounts was created. (On windows XP)
The account was deleted. A new account was made with the same User name. (also deleted)
Things I've tried.
1. I tried looking at the Security Log from the Event Viewer, but it doesn't go back far enough.
2. System restore doesn't go back far enough
3.I tried looking in the SOFTWARE hive (\Microsoft\Windows NT\CurrentVersion\ProfileList, but it wasn't listed.
I think that the best I can offer at this point is some pointers regarding some of the responses you've already received…
Do you know how the account was deleted? Was it via the API (net user) or via the Control Panel applet?
The mention of shellbags would prove useful if you were trying to determine which user account had been used to add or remove the user account, as the shellbags artifacts will show access to the User Account Manager via the Control Panel. However, I believe that it was mentioned in one of the responses that this won't be definitive…while the shellbags will show access to the applet, it will not show the options chosen or items typed in by the user.
Since you're working with XP, you don't have the same "backup" functionality available on Win7 systems, but there are some options that *might* work.
As mentioned, try running regslack to retrieve deleted keys and values, as well as unallocated space from the SAM hive. Unfortunately, if you do find indications of this account, you'll very likely need to decipher it manually. Fortunately, there are resources that can assist you with this…but unfortunately, you're not likely going to find the data you're looking for readily marked and available for your consumption (i.e., there's not going to be a pointer that says, "THIS IS THE DATA YOU WANT").
I guess the overall caveat is that recovering the information you're looking for may be largely dependent upon how long ago the activity (deleting the account) occurred. Given time, deleted data gets overwritten as the space is reused…
A simple way I can think of to determine when a user account was created would be as follow
1. Scan the drive with data recovery software such as R-Studio, which will actually scan all of the file indexing and find files which other data recovery software often misses.
2. Look through the results it finds, and search for files that are created when a new user account is created such as the desktop.ini file, and which are located in the User folder you're looking into. The creation date of such files is usually when the user account is made, unless the file was deleted and re-created, which is unlikely with hidden files.
I don't know that it'd hold any weight in court, I'm not a forensics guy, but it'll give you a good idea of the time frame.