none
Win32_UserProfile - LastUseTime doesn't appear accurate?

    Question

  • I'm trying to write a script to delete user profiles in our enterprise.  I thought I had a great one working and even deployed it in our test environment only to find that when I look at C:\Users, there are profiles with LastModifiedDates significantly longer than I specified.  So of course, to rule out my script, I returned a handful of users who's folder dates were greater than 60 days old (the threshold my script was running at) and sure enough, Win32_UserProfile's LastUseTime for those profiles is siginificantly different than some of the users' profile folders' last modified dates. 

    Can anyone explain this?  Does anyone know where the Win32_UserProfile LastUseTime property is calculated from?  It seems that the folder's lastmodified date would be more accurate... ??

    Friday, June 29, 2012 11:55 AM

Answers

  • Here is what I am trying to show. It may take a few systems to see what is happening.

    I will post the code for this as soon as I clean it up.

    PS>Get-ProfileInfo|select ntaccount,LastUseDays, UserDATDays, FOlderDays|ft -auto

    NTAccount                 LastUseDays UserDATDays FolderDays

    ---------                 ----------- ----------- ----------

                                       96          96        283

                                      283         283        283

    WS101\QBDataServiceUser20         143         143        148

    WS101\admin                       147         147        526

    SEC\testuser2                       9           9         18

    SEC\prince                          1           1          1

    SEC\jsmithy                         0           0         37

    SEC\smithanjon                      5           5          8

    WS101\NETWORK SERVICE               5           5          5

    WS101\LOCAL SERVICE                 5           5       1080

    WS101\SYSTEM  

    LastUseDays and NTUSER.DAT days always agree.  Folderdays can be very old.  I know it isn't because some of those accounts I have used.  Look at LocalServcie account folder.  it was logged out of 5 days ago when I rebooted the machine but the folderdays says 1080.  That is because LocalSystem never changes the special folders and it does not use them. that folder can be as old as the system.

    The folder only getes updated when certain underlying folders get updated.   Remeber that this is not real;y a file system but is is a "profile" store.  It is loaded with super hidden files and folders.  There is a lot of very hidden activity.

    The profile API is correct.  It is the one that MIcrosoft uses.


    ¯\_(ツ)_/¯



    Friday, June 29, 2012 8:00 PM

All replies

  • Last Modsiied date is altered by the system frequently.  The policy files and other things are adjusted periodically.

    The profile dates are likely stored in SAM or they are stored inside the users hive.

    I just checked some hives and they are nearly always newer than the folder.  Also if you RunAs with no profile the hive will not be touched yet the system will know what last used is.


    ¯\_(ツ)_/¯

    Friday, June 29, 2012 12:59 PM
  • thanks for the clarification jrv... so, are you saying that the folder date should be used or the user hive date?
    Friday, June 29, 2012 1:07 PM
  • I don't think either one will be accurate.

    ¯\_(ツ)_/¯

    Friday, June 29, 2012 1:58 PM
  • well unless someone has a better suggestion, i think i'm going to mod my script to to a check on the date based off of the folder's modification time rather than the lastusetime.  at least i know that time is updated when the user actually logs in.  it may get updated by other processes as well but at least in 95+% of the cases, when someone looks at a "profile's age", they're looking at the user's folder date in my experience.
    Friday, June 29, 2012 2:06 PM
  • The folder time is not updated everytimg teh usr logs in.  I jsut scanned a batch of XP folders and they were all off by days.  I know because I know when I last logged into those accounts.

    The lastuse time is going to be the most accurate.


    ¯\_(ツ)_/¯


    • Edited by jrv Friday, June 29, 2012 2:42 PM
    Friday, June 29, 2012 2:42 PM
  • hmm.. that's interesting because in my 5 rdp windows (all to 2K8R2 servers) and my win7pro desktop, my folder's mod date appears to be updating as expected.  i wonder if what you're seeing is specific to xp...
    Friday, June 29, 2012 2:50 PM
  • Yes it is,

    You will also find in time that the file dates will get changed by the system for many reasons.  Tis is why I suggest that the date is kept someplace like SAM.


    ¯\_(ツ)_/¯

    Friday, June 29, 2012 2:56 PM
  • I just checked numerous accounts on Win7.  The folder is very often much older than the ntuser.dat file.  NTUser.dat on all looked to reflect the actual logoff time.  Maybe some time later I will try and pull logons from the Eventlog and match them with the nttuser.dat file.

    I did just do a quicky on some old profiles.  LastUseTIme agrees exactly with the timestamp on NTUSER.DAT.  Now I will look for how many have timestamps that are different.


    ¯\_(ツ)_/¯


    • Edited by jrv Friday, June 29, 2012 3:10 PM
    Friday, June 29, 2012 3:07 PM
  • Good call... that does seem to be the case.  I've validated on numerous profiles that the ntuser.dat file is what is being used to determine the lastusetime property.  however, ntuser.dat gets updated on backup operations regardless of the user actually logging into the profile.  For that, it seems that the folder mod time is still more reliable -- at least, in what I've seen so far.

    Friday, June 29, 2012 4:16 PM
  • That is correct.  Anything that alters the attributes or the securit will alter the time.  Backup changes the archive bit.

    You will eventually discover that teh time in teh LastUse is teh correct number as it is taken from teh internal accounting logs for the system and not from the files.  I am not sure at this time if it gets changed if something runs the account with no profile as teh times are the times the profile was last loaded into the registry.

    There is also a log file in the system area that tracks logons.  It may be getting the time from that log.


    ¯\_(ツ)_/¯

    Friday, June 29, 2012 4:27 PM
  • $Threshold = -60
    $UserProfileFolders = Get-ChildItem "$($env:SystemDrive)\Users" | ? { $_.LastAccessTime -lt ((Get-Date).AddDays($Threshold)) } | Select Name,FullName,LastAccessTime
    $WmiUserProfiles = Get-WmiObject Win32_UserProfile 
    $WmiUserProfiles | % {
        if (($UserProfileFolders | Select -Expand FullName) -contains $_.LocalPath) {
            $_.Delete()
        }
    }  
    This is what I'm going to test for awhile. If anyone has any better ideas since LastUseTime isn't valid for me, I'd appreciate any updates.  Thx.
    Friday, June 29, 2012 6:10 PM
  • Here is what I am trying to show. It may take a few systems to see what is happening.

    I will post the code for this as soon as I clean it up.

    PS>Get-ProfileInfo|select ntaccount,LastUseDays, UserDATDays, FOlderDays|ft -auto

    NTAccount                 LastUseDays UserDATDays FolderDays

    ---------                 ----------- ----------- ----------

                                       96          96        283

                                      283         283        283

    WS101\QBDataServiceUser20         143         143        148

    WS101\admin                       147         147        526

    SEC\testuser2                       9           9         18

    SEC\prince                          1           1          1

    SEC\jsmithy                         0           0         37

    SEC\smithanjon                      5           5          8

    WS101\NETWORK SERVICE               5           5          5

    WS101\LOCAL SERVICE                 5           5       1080

    WS101\SYSTEM  

    LastUseDays and NTUSER.DAT days always agree.  Folderdays can be very old.  I know it isn't because some of those accounts I have used.  Look at LocalServcie account folder.  it was logged out of 5 days ago when I rebooted the machine but the folderdays says 1080.  That is because LocalSystem never changes the special folders and it does not use them. that folder can be as old as the system.

    The folder only getes updated when certain underlying folders get updated.   Remeber that this is not real;y a file system but is is a "profile" store.  It is loaded with super hidden files and folders.  There is a lot of very hidden activity.

    The profile API is correct.  It is the one that MIcrosoft uses.


    ¯\_(ツ)_/¯



    Friday, June 29, 2012 8:00 PM