How to find the creation date of a local user account?
The data is in the SAM but it doesn't appear to be publicly documented by Microsoft and I'm not finding an official API to retrieve it. I can see, looking at the source code for the chntpw
utility that the value is stored in the "F" registry key for each account. Quoth the source code:
#define USER_F_PATH "\\SAM\\Domains\\Account\\Users\\%08X\\F"
struct user_F {
...
char t_creation[8]; /* Time of account creation */
...
}
The regripper forensics project has a plugin, samparse that will report the account creation date.
A forensics tool probably isn't what you want, but it looks like Microsoft isn't making it easy.
In researching this I did find it amusing that a Microsoft MVP didn't know that the account creation data is stored in the SAM. To his benefit maybe he isn't away of the chntpw
utility, which is where I started my search for information about undocumented SAM structures.
The only way to actually know would be to have account management auditing enabled on the computer when the account was created. Then, you'd see EventID 4720 in the Event Log at the creation date. (The article says Active Directory, but the same applies to local accounts as well; I checked.)
Without that, the closest you can come is by checking the creation date on the user's registry hive, ntuser.dat
file, user profile folder etc., but as mentioned in the comments, this is only accurate regarding the user's first logon, as that's when those things are created.
Unfortunately for you, this is a case of "if you didn't log it, then that information doesn't exist."