Forum Discussion

Joe_Friedel's avatar
Joe_Friedel
Brass Contributor
Aug 31, 2017
Solved

Issue with date modified for NTUSER.DAT

Is Microsoft aware of an issue with various Windows 10 processes causing the date modified timestamp on the NTUSER.DAT file in unused profiles to change? We have specifically noticed that installatio...
  • Joe_Friedel's avatar
    Joe_Friedel
    Feb 23, 2018

    Here is the code from the script:

     

    #Purpose: Used to set the ntuser.dat last modified date to that of the last modified date on the user profile folder.
    #This is needed because windows cumulative updates are altering the ntuser.dat last modified date which then defeats
    #the ability for GPO to delete profiles based on date and USMT migrations based on date.

    $ErrorActionPreference = "SilentlyContinue"
    $Report = $Null
    $Path = "C:\Users"
    $UserFolders = $Path | GCI -Directory

    ForEach ($UserFolder in $UserFolders)
    {
    $UserName = $UserFolder.Name
    If (Test-Path "$Path\$UserName\NTUSer.dat")
        {
        $Dat = Get-Item "$Path\$UserName\NTUSer.dat" -force
        $DatTime = $Dat.LastWriteTime
        If ($UserFolder.Name -ne "default"){
            $Dat.LastWriteTime = $UserFolder.LastWriteTime
        }
        Write-Host $UserName $DatTime
        Write-Host (Get-item $Path\$UserName -Force).LastWriteTime
        $Report = $Report + "$UserName`t$DatTime`r`n"
        $Dat = $Null
        }
    }

Ryan Pertusio's avatar
Ryan Pertusio
Brass Contributor
Jul 08, 2021

Joe_Friedel 

I spoke with Microsoft Engineering on this. I asked if I could share this update. They said it was not confidential, so I'm sharing it here.

 

The display dates in the Adv System control panel use “ntuser.dat”. There are no current plans to change how the dates are displayed.  There are processes (like those used by Windows Update) that touch the 'ntuser.dat' file & update the date.

 

However, the Group Policy that cleans up profiles ("Delete user profiles older than a specified number of days on a system restart") uses a different calculation (instead of ntuser.dat).  It instead uses these 2 registry values:

 

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\SID\

LoadProfileUnloadTimeHigh

LoadProfileUnLoadTimeLow

 

I hope this adds value to this conversation and explains more about what's going on!

- rp

 

  • AHDoug's avatar
    AHDoug
    Copper Contributor
    Aug 06, 2021

    Ryan Pertusio 

     

    I'm trying to figure out just what that "different" calculation might be - but I can't make heads or tails out of it. Here's the values from a computer I tested this on after logging out:

    LocalProfileUnloadTimeHigh: 0x1d78a6d (30902893)
    LocalProfileUnloadTimeLow: 0x14faa06d1 (1336542929)

    I also ran this from psexec on that computer to get when it says I last logged out:

    net user <myusername> /domain | findstr /B /C:"Last logon"

    which produced this: Last logon 8/5/2021 7:44:44 PM

    This translates to 1628192525 in epoch time, which I'm assuming is the format used in the registry. And I couldn't figure out any calculation from the registry entries which would even come close to the final value. Maybe it's a mystery only MS knows?

     

Resources