Forum Discussion

Joe_Friedel's avatar
Joe_Friedel
Brass Contributor
Aug 31, 2017
Solved

Issue with date modified for NTUSER.DAT

Is Microsoft aware of an issue with various Windows 10 processes causing the date modified timestamp on the NTUSER.DAT file in unused profiles to change? We have specifically noticed that installatio...
  • Joe_Friedel's avatar
    Joe_Friedel
    Feb 23, 2018

    Here is the code from the script:

     

    #Purpose: Used to set the ntuser.dat last modified date to that of the last modified date on the user profile folder.
    #This is needed because windows cumulative updates are altering the ntuser.dat last modified date which then defeats
    #the ability for GPO to delete profiles based on date and USMT migrations based on date.

    $ErrorActionPreference = "SilentlyContinue"
    $Report = $Null
    $Path = "C:\Users"
    $UserFolders = $Path | GCI -Directory

    ForEach ($UserFolder in $UserFolders)
    {
    $UserName = $UserFolder.Name
    If (Test-Path "$Path\$UserName\NTUSer.dat")
        {
        $Dat = Get-Item "$Path\$UserName\NTUSer.dat" -force
        $DatTime = $Dat.LastWriteTime
        If ($UserFolder.Name -ne "default"){
            $Dat.LastWriteTime = $UserFolder.LastWriteTime
        }
        Write-Host $UserName $DatTime
        Write-Host (Get-item $Path\$UserName -Force).LastWriteTime
        $Report = $Report + "$UserName`t$DatTime`r`n"
        $Dat = $Null
        }
    }

Deleted's avatar
Deleted
Oct 09, 2020

In testing and across several computers I have found that the last modified date of the C:\users\username folder is not always accurate to when the user last logged in.  For example on my computer my folder is last modified in August 2020, and it is now Oct 2020 and I use my account daily.  I did test across several user account and the only file I found that gave an accurate date of any kind was the C:\Users\username\AppData\Local\IconCache.db file.  It has a time stamp of when the user last logged off the computer.  In most cases the user profile has this file, and it was the best option I could use to determine whether a profile was being used or not.  Unfortunately the delprof2.exe tool was working great until the Windows Updates started modifying the ntuser.dat file for all users causing this whole problem, the delprof tool would not longer delete profile older the x days.

 

To get a list of files in a user profile I ran the below to identify the IconCache.db file.  Hope this helps someone, as this thread got me going on the right track.

 

Get-ChildItem c:\Users\username -Recurse -Hidden| Select-Object FullName,LastWriteTime | sort-object -property Lastwritetime -descending | Out-File c:\temp\log.txt

SSUtech's avatar
SSUtech
Copper Contributor
Apr 15, 2022

Thanks for the script folks!  I have modified it to add an excluded user profiles list and based mine on the date of UserClass.dat instead of IconCache as I found some users did not have one and UserClass was the next closest I could find.

 

#Purpose: Used to set the ntuser.dat last modified date to that of the last modified date on the users UsrClass.dat file.
#This is needed because windows cumulative updates are altering the ntuser.dat last modified date which then defeats
#the ability for GPO to delete profiles based on date and USMT migrations based on date.

$ErrorActionPreference = "SilentlyContinue"
$Report = $Null
$Path = "C:\Users"
$ExcludedUsers ="Public","zabbix_agent","svc",”user_1”,”user_2”,"default","defaultuser0","public","administrator"
$UserFolders = $Path | GCI -Directory -Exclude $ExcludedUsers

ForEach ($UserFolder in $UserFolders)
{
$UserName = $UserFolder.Name
If (Test-Path "$Path\$UserName\NTUSer.dat")
    {
    $Dat = Get-Item "$Path\$UserName\NTUSer.dat" -force
    $DatTime = $Dat.LastWriteTime
	$Db = Get-Item "$Path\$Username\AppData\Local\Microsoft\Windows\UsrClass.dat" -force
	$UserClass = $Db.LastWriteTime
    $Dat.LastWriteTime = $UserClass
    Write-Host $UserName $DatTime
    Write-Host (Get-item $Path\$UserName\AppData\Local\Microsoft\Windows\UsrClass.dat -Force).LastWriteTime
    $Report = $Report + "$UserName`t$DatTime`r`n"
    $Dat = $Null
    $Db = $Null
    }
}
  • millermike's avatar
    millermike
    Copper Contributor
    Apr 19, 2022

     

    SSUtech wrote:

    Thanks for the script folks!  I have modified it to add an excluded user profiles list and based mine on the date of UserClass.dat instead of IconCache as I found some users did not have one and UserClass was the next closest I could find.

     

     

    #Purpose: Used to set the ntuser.dat last modified date to that of the last modified date on the users UsrClass.dat file.
#This is needed because windows cumulative updates are altering the ntuser.dat last modified date which then defeats
#the ability for GPO to delete profiles based on date and USMT migrations based on date.

$ErrorActionPreference = "SilentlyContinue"
$Report = $Null
$Path = "C:\Users"
$ExcludedUsers ="Public","zabbix_agent","svc",”user_1”,”user_2”,"default","defaultuser0","public","administrator"
$UserFolders = $Path | GCI -Directory -Exclude $ExcludedUsers

ForEach ($UserFolder in $UserFolders)
{
$UserName = $UserFolder.Name
If (Test-Path "$Path\$UserName\NTUSer.dat")
    {
    $Dat = Get-Item "$Path\$UserName\NTUSer.dat" -force
    $DatTime = $Dat.LastWriteTime
	$Db = Get-Item "$Path\$Username\AppData\Local\Microsoft\Windows\UsrClass.dat" -force
	$UserClass = $Db.LastWriteTime
    $Dat.LastWriteTime = $UserClass
    Write-Host $UserName $DatTime
    Write-Host (Get-item $Path\$UserName\AppData\Local\Microsoft\Windows\UsrClass.dat -Force).LastWriteTime
    $Report = $Report + "$UserName`t$DatTime`r`n"
    $Dat = $Null
    $Db = $Null
    }
}

     

    Future copy-pasters: Be sure to edit the quotation marks next to "user_1" and "user_2" -- looks like this awesome code snippet from SSUtech accidentally brought in the stupid kind that breaks code.

     

    FIXED QUOTES:

     

     

    #Purpose: Used to set the ntuser.dat last modified date to that of the last modified date on the users UsrClass.dat file.
#This is needed because windows cumulative updates are altering the ntuser.dat last modified date which then defeats
#the ability for GPO to delete profiles based on date and USMT migrations based on date.

$ErrorActionPreference = "SilentlyContinue"
$Report = $Null
$Path = "C:\Users"
$ExcludedUsers ="Public","zabbix_agent","svc","user_1","user_2","default","defaultuser0","public","administrator"
$UserFolders = $Path | GCI -Directory -Exclude $ExcludedUsers

ForEach ($UserFolder in $UserFolders)
{
$UserName = $UserFolder.Name
If (Test-Path "$Path\$UserName\NTUSer.dat")
    {
    $Dat = Get-Item "$Path\$UserName\NTUSer.dat" -force
    $DatTime = $Dat.LastWriteTime
	$Db = Get-Item "$Path\$Username\AppData\Local\Microsoft\Windows\UsrClass.dat" -force
	$UserClass = $Db.LastWriteTime
    $Dat.LastWriteTime = $UserClass
    Write-Host $UserName $DatTime
    Write-Host (Get-item $Path\$UserName\AppData\Local\Microsoft\Windows\UsrClass.dat -Force).LastWriteTime
    $Report = $Report + "$UserName`t$DatTime`r`n"
    $Dat = $Null
    $Db = $Null
    }
}

     

Resources