Incorrect information gets recorded in [Win32_UserProfile].LastUseTime Obj

Hey All,

Do we know why the [Win32_UserProfile].LastUseTime object gets updated to latest date for all profile if anyone login to the machine.

Is there a way to prevent it from happening or is there a way to identify the older profiles which are unused.? It is causing my script to fail.

 

Peace & Cheers,
Samson V.

Antivirus/Antimalware can cause the stamps to get updated. See this hotfix details.

https://support.microsoft.com/en-us/help/983544/the-modified-time-file-attribute-of-a-registry-hive-file-is-updated-wh

I am seeing many unexpected profiles showing lastusetime that was the time I ran the command. But it was not all of them, many have just the one user with recent lastusetime. Not sure this will be reliable, even the GPO that’s available can be ineffective as per that hotfix details.

Well, in my case, every any remote login updates the LastUseTime for all the profiles available in it.

Is there a way we can get the right information, or the “Modified” information you see under Computer Properties > Advanced System Settings > Advanced > Settings (under User Profiles).

It differs from the LastUseTime if I check. If I can get that information from somewhere I can filter my results with that output and exclude the users which had recently logged in and execute my ProfileDeletion script. Hope I make sense.

 

Peace & Cheers,
Samson V.

Could try getting information from files in the profile to see if they can be used:

Get-CimInstance -ClassName Win32_UserProfile -Property * -Filter "Special ='False'" | 
Select LocalPath, 
       LastUseTime,
       @{Name='Folder Date';Expression={Get-Item -Path $_.LocalPath | Select -ExpandProperty LastAccessTime}},
       @{Name='NTUser Date';Expression={Get-Item -Path ($_.LocalPath + "\NTUSER.DAT") -Force | Select -ExpandProperty LastAccessTime}}

Hello,

The value in LastUseTime should match exactly to the number listed in the UI you mention. If it’s not, then something is mounting up the users NTUSER.dat files and at least querying it. From my testing just loading and unloading the registry hive did not affect the lastusetime timestamp. But simply expanding a folder in the UI or a query in the shell caused the time stamp to be updated. If the UI is still showing the correct date, then perhaps it just isn’t updated until the user logs in, or it could be pulling the data from somewhere else. I’d guess it’s the former but you’ll have to ask a Windows specific expert. I was unable to find anything remotely close to this attribute in all my searching of system and user registry hives. My guess is that some other program (likely antivirus/antimalware) is loading and scanning the hives, causing the timestamp to get updated. You can confirm this info is pulled directly from the users ntuser.dat by moving the file and rerunning the command. I wrote this little bit just to nicely see which user is which since it only shows the SID.

Get-CimInstance -ClassName win32_userprofile |

select @{N='Name';e={get-aduser -filter "sid -like '$($_.sid)'" | select -ExpandProperty name}},lastusetime

Here are the commands I used to mount in case you’re want to play around. Be sure to work on copies!

reg load hku\test c:\temp\ntuser.dat

reg query hku\test\software

reg unload hku\test

If all else fails just create a small login script that logs the users logins. Good luck!