SOLVED

Issue with date modified for NTUSER.DAT

Brass Contributor

Is Microsoft aware of an issue with various Windows 10 processes causing the date modified timestamp on the NTUSER.DAT file in unused profiles to change? We have specifically noticed that installation of cumulative updates modifies this file in all profiles, but there are other processes (I'm guessing scheduled tasks but I haven't found which ones) that do this too. 

 

This is particularly a problem in Education as we use the "Delete user profiles older than a specified number of days on a system restart" GPO setting to clean up old profiles on Lab and Classroom computers and that policy relies on the timestamp on the NTUSER.DAT file to determine the age of the profile. (The USMT tool also uses that file and timestamp when you specify to only capture profiles used within the last XX days.)

 

For reference, the date modified timestamp on the profile folder in the Users directory does accurately reflect the last time the profile was used.

51 Replies
Thanks for this feedback, Joe - I can pass this along to our team. If you are able to, please submit this feedback to the Windows Feedback hub - this is the best way to get bugs like this to our engineering teams.

I'm currently running into this exact issue. Was there a bug report submitted or were you able to find a fix? 

I did submit this in the Feedback Hub app 5 months ago. It has 1 upvote and no comments. I have not tested to see if this was fixed in 1709. We developed a PowerShell script that loops through the user profiles and sets the ntuser.dat date modified value to the date modified value from the user profile folder. We just run this on a set schedule for any computers where we're using the profile deletion GPO setting.

I am currently having the same issue and have a call open with Microsoft about it. This has been ongoing now for months. I initially suspected windows updates and Store updates are changing the .dat files, which makes some sense. Looking at event logs you can see the user registry hives being modified and usually preceded by windows update client kicking in to download something.

Microsoft have been round the houses trying to blame everything but the OS, suggesting Anti-Virus software for example, but cant be that with no third party AV on the machine.

 

I can confirm that this problem has persisted in 1709 as well. 

 

Currently away to use process monitor to confirm what is changing the registry.

My current feeling is that this is expected behaviour and no one wants to admit it.

 

Just to add, I am only seeing this behaviour since going to 1703 in the Summer as we have switched from roaming profiles to local profiles and UEV, and we were wiping all roaming profiles remnants using delprof tool on startup prior to the summer so machines were clean of profiles on every boot. This is not really an option if you are using local profiles, hence the switch to the GPO. 

 

 

Thanks for the update and I look forward to seeing if you're able to get a resolution. I can also confirm this is not caused by antivirus. We have Defender completely disabled via GPO and I had McAfee VSE uninstalled at the time of my testing. 

hi Joe

 

We struggle with the same problem in our school.  Could you share the powershell script with us?

 

best response confirmed by Joe Friedel (Brass Contributor)
Solution

Here is the code from the script:

 

#Purpose: Used to set the ntuser.dat last modified date to that of the last modified date on the user profile folder.
#This is needed because windows cumulative updates are altering the ntuser.dat last modified date which then defeats
#the ability for GPO to delete profiles based on date and USMT migrations based on date.

$ErrorActionPreference = "SilentlyContinue"
$Report = $Null
$Path = "C:\Users"
$UserFolders = $Path | GCI -Directory

ForEach ($UserFolder in $UserFolders)
{
$UserName = $UserFolder.Name
If (Test-Path "$Path\$UserName\NTUSer.dat")
    {
    $Dat = Get-Item "$Path\$UserName\NTUSer.dat" -force
    $DatTime = $Dat.LastWriteTime
    If ($UserFolder.Name -ne "default"){
        $Dat.LastWriteTime = $UserFolder.LastWriteTime
    }
    Write-Host $UserName $DatTime
    Write-Host (Get-item $Path\$UserName -Force).LastWriteTime
    $Report = $Report + "$UserName`t$DatTime`r`n"
    $Dat = $Null
    }
}

thanks, I will try this and give you feedback!

I wanted to post and say that we are experiencing this same issue and wanted to see if anyone had any new information on it.

 

We are running 1703 Enterprise and are becoming increasing frustrated with it.

Just adding we have the same problem, Windows 10 Pro 1703 and 1709.

We are having this issue also with server 2012R2 RDS.

At reboot time user.dat timestamp is updated and profiles are never cleaned up

 

 

Just want to say a big thanks for the powershell script.  I've been tearing my hair out with this problem for several months.

 

We changed over some of our school estate to SSD's last year and their getting filled up quite quickly now and I couldn't work out why the normal Group Policy for removing profiles wasn't working.

 

Changing to the date on the folder isn't perfect as something else sometimes modified it as well but it's a step in the right direction.

 

Hopefully MS can sort it out.

Can you tell me how you put this in place?

 

Does it work side by side with the existing GPO or, is this a stand alone script?

 

We are having issue you are/were having.....

Yes, the script is used in combination with the GPO setting. We still have the "Delete user profiles older than a specified number of days on system restart" configured. The PowerShell script to adjust the timestamps on the NTUser.dat files is executed on a daily schedule by ConfigMgr using a package with the script as the source file and a program running the following command line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -file Change_NTUSER_Date.ps1

The program is deployed to always rerun. You could also accomplish this with a scheduled task running the script on each computer as well. It seemed easiest to use ConfigMgr to handle the distribution and execution of the script which also makes it easy to change, if needed.

I was going to test run the script on a subject machine, when I discovered that the timestamp for both the chosen profile folders and the corresponding NTUSER.DAT files were exactly the same. The time stamp for both was more than one month old and they should have been deleted already, but they were still there. Thus far, I've found articles claiming that either the anti-virus software is to blame or the Windows Update service is to blame. In the test case I was working with, there is active anti-virus software, but the Windows Updates are temporarily disabled through Group Policy settings. But, again, the timestamps don't appear to be changing, anyway. Sounds like a Microsoft glitch, to me, or perhaps I'm misunderstanding something.

Thanks so much for this script, it saved me a ton of troubleshooting time!

@Michael GreenHi,

 

Can you please explain step by step how you made it work? I created the Computer Policy "delete user profiles older than.." and then I also configured the startup script using the powershell script file. But nothing happens.

 

If you could help I would be glad.

 

Thanks.

@Joe Friedel I realize you posted this a year and a half ago but would you mind sharing that powershell script that loops through user profiles and updates the ntuser.dat last modified date?

In testing and across several computers I have found that the last modified date of the C:\users\username folder is not always accurate to when the user last logged in.  For example on my computer my folder is last modified in August 2020, and it is now Oct 2020 and I use my account daily.  I did test across several user account and the only file I found that gave an accurate date of any kind was the C:\Users\username\AppData\Local\IconCache.db file.  It has a time stamp of when the user last logged off the computer.  In most cases the user profile has this file, and it was the best option I could use to determine whether a profile was being used or not.  Unfortunately the delprof2.exe tool was working great until the Windows Updates started modifying the ntuser.dat file for all users causing this whole problem, the delprof tool would not longer delete profile older the x days.

 

To get a list of files in a user profile I ran the below to identify the IconCache.db file.  Hope this helps someone, as this thread got me going on the right track.

 

Get-ChildItem c:\Users\username -Recurse -Hidden| Select-Object FullName,LastWriteTime | sort-object -property Lastwritetime -descending | Out-File c:\temp\log.txt

1 best response

Accepted Solutions
best response confirmed by Joe Friedel (Brass Contributor)
Solution

Here is the code from the script:

 

#Purpose: Used to set the ntuser.dat last modified date to that of the last modified date on the user profile folder.
#This is needed because windows cumulative updates are altering the ntuser.dat last modified date which then defeats
#the ability for GPO to delete profiles based on date and USMT migrations based on date.

$ErrorActionPreference = "SilentlyContinue"
$Report = $Null
$Path = "C:\Users"
$UserFolders = $Path | GCI -Directory

ForEach ($UserFolder in $UserFolders)
{
$UserName = $UserFolder.Name
If (Test-Path "$Path\$UserName\NTUSer.dat")
    {
    $Dat = Get-Item "$Path\$UserName\NTUSer.dat" -force
    $DatTime = $Dat.LastWriteTime
    If ($UserFolder.Name -ne "default"){
        $Dat.LastWriteTime = $UserFolder.LastWriteTime
    }
    Write-Host $UserName $DatTime
    Write-Host (Get-item $Path\$UserName -Force).LastWriteTime
    $Report = $Report + "$UserName`t$DatTime`r`n"
    $Dat = $Null
    }
}

View solution in original post