Last Password Change
Description: Lists the last time the password of a specific local user has been changed.
Location:
- C:\Windows\System32\Config\SAM
- SAM\Domains\Account\Users
Notes: Only the last password change time will be stored in the registry key.
Analysis:
Using Registry Explorer by Eric Zimmerman, we can
load the SAM registry hive and analyze the SAM\Domains\Accounts\Users key.
A Registry Explorer plug-in does the heavy lifting, allowing us to reference this key to collect
information useful for user profiling. The Last Password Change column displays the last
password change timestamp. The timestamp is displayed in UTC.
