Date on ntuser.dat.LOG

[germanshorthairpointer]

What can change the date modified attribute on a users NTUSER.DAT and
ntuser.dat.LOG? Can anything besides logging in change it? Like a
group policy update?

Thanks!

 

[Wesley Vogel]

NTUSER.DAT is part of the registry. Depending on which NTUSER.DAT you're
referring to, merely logging on would do it.

The XP registry is made up of the following files.

One NTUSER.DAT for each user on the machine, some templates and repair.
%HOMEDRIVE%\Documents and Settings\Administrator\NTUSER.DAT
%allusersprofile%\ntuser.dat
%HOMEDRIVE%\Documents and Settings\Default User\NTUSER.DAT
%HOMEDRIVE%\Documents and Settings\LocalService\NTUSER.DAT
%HOMEDRIVE%\Documents and Settings\NetworkService\NTUSER.DAT
%userprofile%\NTUSER.DAT
%windir%\SYSTEM32\CONFIG\systemprofile\NTUSER.DAT
%windir%\repair\ has these files...
default
ntuser.dat
sam
security
software
system

All hives are stored in %systemroot%\SYSTEM32\CONFIG. Except
HKEY_CURRENT_USER. That's stored in %userprofile% or
C:\Documents and Settings\Your Name Here.

The major hives and their files are as follows:

Hive File BackupFile
HKEY_LOCAL_MACHINE\SOFTWARE SOFTWARE SOFTWARE.LOG
HKEY_LOCAL_MACHINE\SECURITY SECURITY SECURITY.LOG
HKEY_LOCAL_MACHINE\SYSTEM SYSTEM SYSTEM.LOG
HKEY_LOCAL_MACHINE\SAM SAM SAM.LOG
HKEY_CURRENT_USER NTUSER.DAT ntuser.dat.LOG
HKEY_USERS\.DEFAULT DEFAULT DEFAULT.LOG

The paths are listed in this registry key...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\hivelist

Description of the Windows 2000 Registry
http://www.microsoft.com/resources/...000/server/reskit/en-us/regentry/AboutReg.asp

Registry structure
http://www.microsoft.com/technet/pr...elp/28e3337c-70ff-41e1-86ef-2581350712a9.mspx

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In

 

[germanshorthairpointer]

I should have been more direct with my question. Basically, I'm
looking into a scenario where someone might be accused of logging into
a machine based on the date modified of the ntuser.dat.log file located
in a users profile. The following link shows where someone asked a
question on the respective topic.
http://www.tek-tips.com/viewthread.cfm?qid=1266106&page=1 I'll post it
here for simplicity also.

------------------
I was wrongly accused to have logged on a PC yesterday, and as proof,
they exhibited my profile that appeared in the C:\Documents and
Settings\my username.

I did logon to that PC 2 months ago, which i don't deny, as show the
local settings, the desktop, my documents, etc... with the date of 2
months ago when i first and ONLY TIME logged on to that PC.

However, i NEVER logged onto that PC yesterday, nevertheless, there is
a NTUSER.DAT.LOG txt in my profile on that PC, with the date of
yesterday !!!!
-------------------


Basically, I know its not good evidence, but I want to know why its
happening... Why or how could the date modified attribute be changed
w/out a user logging in?

Thanks for your help!

 

[Wesley Vogel]

If you were not logged in, someone else could have opened your NTUSER.DAT or
NTUSER.DAT.LOG.

Better proof would be in the Event Viewer.

If Audit account logon events and/or Audit logon events for Success and
Failure are Enabled in Group Policy.

Audit account logon events
Audit logon events
Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy

Audit account logon events
Determines whether to audit each instance of a user logging on to or logging
off from another computer in which this computer is used to validate the
account.

Audit logon events
Determines whether to audit each instance of a user logging on to, logging
off from, or making a network connection to this computer.

I don't know off hand what the Event ID #s are.

--
Hope this helps. Let us know.

Wes
MS-MVP Windows Shell/User

In