Skip to main content

Getting registry last write time with PowerShell

All registry keys have a value associated with called the Last Write Time. This is analogous to the last modification time for a file. When ever the registry key or one if its values has been created, modified, or deleted the value is updated to the current local system time. Unfortunately, there is no Last Write Time associated with a registry value, but it can be infered from the Last Write Time of the key.

Here is a PowerShell script to read the Last Write Time for a registry key.


Get-RegKeyLastWriteTime.ps1 <Key> <SubKey>


Get-RegKeyLastWriteTime.ps1 HKLM SOFTWARE\Microsoft\Windows\CurrentVersion


Key                         LastWriteTime
--- -------------
AdminDebug 10/28/2009 7:50:51 PM
App Management 7/14/2009 4:41:12 AM
App Paths 1/22/2010 2:07:18 PM
Applets 7/14/2009 4:41:12 AM
Audio 7/14/2009 4:41:12 AM
Authentication 7/14/2009 4:41:12 AM
BitLocker 7/14/2009 4:41:12 AM


Get-RegKeyLastWriteTime.ps1 Script:

param (	[string] $Key, [string] $SubKey )

switch ($Key) {
"HKCR" { $searchKey = 0x80000000} #HK Classes Root
"HKCU" { $searchKey = 0x80000001} #HK Current User
"HKLM" { $searchKey = 0x80000002} #HK Local Machine
"HKU" { $searchKey = 0x80000003} #HK Users
"HKCC" { $searchKey = 0x80000005} #HK Current Config
default {
#throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"

$KEYREAD = 0x19

$sig1 = @'
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
public static extern int RegOpenKeyEx(
int hKey,
string subKey,
int ulOptions,
int samDesired,
out int hkResult);
$type1 = Add-Type -MemberDefinition $sig1 -Name Win32Utils `
-Namespace RegOpenKeyEx -Using System.Text -PassThru

$sig2 = @'
[DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
extern public static int RegEnumKeyEx(
int hkey,
int index,
StringBuilder lpName,
ref int lpcbName,
int reserved,
int lpClass,
int lpcbClass,
out long lpftLastWriteTime);
$type2 = Add-Type -MemberDefinition $sig2 -Name Win32Utils `
-Namespace RegEnumKeyEx -Using System.Text -PassThru

$sig3 = @'
[DllImport("advapi32.dll", SetLastError=true)]
public static extern int RegCloseKey(
int hKey);
$type3 = Add-Type -MemberDefinition $sig3 -Name Win32Utils `
-Namespace RegCloseKey -Using System.Text -PassThru

$hKey = new-object int
$result = $type1::RegOpenKeyEx($searchKey, $SubKey, 0, $KEYREAD, [ref] $hKey)

#initialize variables
$builder = New-Object System.Text.StringBuilder 1024
$index = 0
$length = [int] 1024
$time = New-Object Long

#234 means more info, 0 means success. Either way, keep reading
while ( 0,234 -contains $type2::RegEnumKeyEx($hKey, $index++, `
$builder, [ref] $length, $null, $null, $null, [ref] $time) )
#create output object
$o = "" | Select Key, LastWriteTime
$o.Key = $builder.ToString()
$o.LastWriteTime = (Get-Date $time).AddYears(1600)

#reinitialize for next time through the loop
$length = [int] 1024
$builder = New-Object System.Text.StringBuilder 1024

$result = $type3::RegCloseKey($hKey);


Popular posts from this blog

Extracting Users from LinkedIn via Burp

We do a lot of pen tests and red teaming at Red Siege. Part of reconnaissance includes gathering a list of employees from a target organization. Typically, those usernames will be used in either phishing or password spray attacks (trying a few passwords across a long list of users). LinkedIn is a treasure trove of information! I'm going to use my good friends at Black Hills Information Security as my guinea pigs (sorry, and thanks!). The tool is here. First, let's look at what the data from LinkedIn looks like a response.

After performing a search for "Black Hills Information Security" we can look at the requests and responses. LinkedIn includes all the user information in responses to "/voyager/api/mux".

We can click the "Next" button a few times in our search to load multiple pages of info. Now, for the extraction. First, select everything in the "HTTP history" with Ctrl+A or Command+A on macOS. Second, right click in the top portion. …

Beyond Net User - Part 1: Limitations of the "Net" commands

I've had a number of cases where the Windows "net user", "net group", and "net localgroup" have failed me. I've had SQLMap fail to give the last line of "net user" output, I've had "net group /domain" not give me the full names (I still don't get how that failed!). On top of that, the commands don't support wildcards. Also, the output of those commands is a pain to parse due to the columns. I'd much prefer to use the AD PowerShell cmdlets, but those aren't always available. I set to find other ways to get the same data. First, let's look at the limitations of the "net" commands.
Net command limitations Hiding Groups in Groups Often when pen testing and red teaming, we would like to figure out information about the domain, most notably the members of the Domain Admins group. Output of the net group "domain admins" command as shown below.

It shows three members: Administrator, sqlagent,…

Beyond Net User - Part 2: DS Commands

In the previous post we discussed some of the limitations of Net commands. Most notably, the output limitation (doesn't show all groups) and it doesn't allow for flexible searching. In this post we'll discuss the DS commands to get around these limitations.
DSGet, DSQuery, DS* While these tools are useful, they aren't always available. As a pen tester and red teamer, I have to live with what I can find on the systems I come across. I find that these tools are still more widespread than the latest PowerShell Active Directory cmdlets, at least on non-system administrator systems. Here is a useful Stack Overflow post on the subject. Recursive Searches In the last post, we discussed a limitation in net group in that it doesn't show groups in other groups. The DS commands do! As a reminder, let's take a look at what we saw with net group when looking at the list of domain administrators.

Now let's do the same search, but use the dsquery and dsget.
dsquery group -…