Last Password Change

Description: Lists the last time the password of a specific local user has been changed.

Location:

  • C:\Windows\System32\Config\SAM
    • SAM\Domains\Account\Users

Notes: Only the last password change time will be stored in the registry key.

Analysis: Using Registry Explorer by Eric Zimmerman, we can load the SAM registry hive and analyze the SAM\Domains\Accounts\Users key.



A Registry Explorer plug-in does the heavy lifting, allowing us to reference this key to collect information useful for user profiling. The Last Password Change column displays the last password change timestamp. The timestamp is displayed in UTC.