Hello,
Using Regripper to extract System and SAM registry, and found out Shutdown time recorded few hours later than Last Login Date. following is the extracted registry
ControlSet001\Control\Windows key, ShutdownTime value
ControlSet001\Control\Windows
LastWrite Time Wed May 6 090419 2009 (UTC)
ShutdownTime = Wed May 6 090419 2009 (UTC)
Last Login Date Thu May 7 002546 2009 Z
My only conclusion is perhaps the system is power off hence the registry is not updated. Is there a way to correlate this. thanks in advance
Sure, there are a number of ways to do so…check the user's UserAssist key entries for signs of activity, examine the Event Log, etc. The fact of the matter is that if you find signs of nothing, then it might just be that the system was simply powered off…unfortunately, the only definitive way to tell that is if you were standing there when it happened.
noobster,
Is the system on a network? If so and logging is active on the server, you might be able to find date/time-related network activity.
hello,
thanks so much appreciate the feedback, i'll check out the UserAssist key entries once m back at work, btw i did checked the Event Log before i posted ths but it is not enable unfortunately. Also the computer is a stand alone system (
So you didn't see any events related to shutdown or reboot?
If a laptop, battery charging log as reference?