Getting registry last write time with PowerShell

All registry keys have a value associated with called the Last Write Time. This is analogous to the last modification time for a file. When ever the registry key or one if its values has been created, modified, or deleted the value is updated to the current local system time. Unfortunately, there is no Last Write Time associated with a registry value, but it can be infered from the Last Write Time of the key.

Here is a PowerShell script to read the Last Write Time for a registry key.

Usage:

Get-RegKeyLastWriteTime.ps1 <Key> <SubKey>

Example:

Get-RegKeyLastWriteTime.ps1 HKLM SOFTWARE\Microsoft\Windows\CurrentVersion

Output:

Key                         LastWriteTime
—-                         ——————-
AdminDebug                  10/28/2009 7:50:51 PM
App Management              7/14/2009 4:41:12 AM
App Paths                   1/22/2010 2:07:18 PM
Applets                     7/14/2009 4:41:12 AM
Audio                       7/14/2009 4:41:12 AM
Authentication              7/14/2009 4:41:12 AM
BitLocker                   7/14/2009 4:41:12 AM
...

 

Get-RegKeyLastWriteTime.ps1 Script:

param (	[string] $Key, [string] $SubKey )

switch ($Key) {
    "HKCR" { $searchKey = 0x80000000} #HK Classes Root
    "HKCU" { $searchKey = 0x80000001} #HK Current User
    "HKLM" { $searchKey = 0x80000002} #HK Local Machine
    "HKU"  { $searchKey = 0x80000003} #HK Users
    "HKCC" { $searchKey = 0x80000005} #HK Current Config
    default { 
        #throw "Invalid Key. Use one of the following options HKCR, HKCU, HKLM, HKU, HKCC"
    }
}


$KEYQUERYVALUE = 0x1
$KEYREAD = 0x19
$KEYALLACCESS = 0x3F

$sig1 = @'
[DllImport("advapi32.dll", CharSet = CharSet.Auto)]
  public static extern int RegOpenKeyEx(
    int hKey,
    string subKey,
    int ulOptions,
    int samDesired,
    out int hkResult);
'@
$type1 = Add-Type -MemberDefinition $sig1 -Name Win32Utils `
    -Namespace RegOpenKeyEx -Using System.Text -PassThru

$sig2 = @'
[DllImport("advapi32.dll", EntryPoint = "RegEnumKeyEx")]
extern public static int RegEnumKeyEx(
    int hkey,
    int index,
    StringBuilder lpName,
    ref int lpcbName,
    int reserved,
    int lpClass,
    int lpcbClass,
    out long lpftLastWriteTime);
'@
$type2 = Add-Type -MemberDefinition $sig2 -Name Win32Utils `
    -Namespace RegEnumKeyEx -Using System.Text -PassThru

$sig3 = @'
[DllImport("advapi32.dll", SetLastError=true)]
public static extern int RegCloseKey(
    int hKey);
'@
$type3 = Add-Type -MemberDefinition $sig3 -Name Win32Utils `
    -Namespace RegCloseKey -Using System.Text -PassThru


$hKey = new-object int
$result = $type1::RegOpenKeyEx($searchKey, $SubKey, 0, $KEYREAD, [ref] $hKey)

#initialize variables
$builder = New-Object System.Text.StringBuilder 1024
$index = 0
$length = [int] 1024
$time = New-Object Long

#234 means more info, 0 means success. Either way, keep reading
while ( 0,234 -contains $type2::RegEnumKeyEx($hKey, $index++, `
    $builder, [ref] $length, $null, $null, $null, [ref] $time) )
{
    #create output object
    $o = "" | Select Key, LastWriteTime
    $o.Key = $builder.ToString()
    $o.LastWriteTime = (Get-Date $time).AddYears(1600)
    $o

    #reinitialize for next time through the loop  
    $length = [int] 1024
    $builder = New-Object System.Text.StringBuilder 1024
}

$result = $type3::RegCloseKey($hKey);

 del.icio.us  Stumbleupon  Technorati  Digg 

Posted by Tim Medin at 2/2/2010 5:14 PM
Categories: uncategorized
Tags: PowerShell LastWriteTime Registry
 

What did you think of this article?




Trackbacks
Trackback specific URL for this entry
  • No trackbacks exist for this entry.
Comments
Display comments as (Linear | Threaded)

  • 2/11/2010 5:46 AM Paul wrote:
    Hello,

    I`m trying to find out the date on which a network printer was installed on the workstation. I`m using the registry keys in "HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Devices\" to find this out. Unfortunately the above command does not return the information needed. all i get is " .\Get-RegKeyLastWriteTime.ps1
    HKCU Software\Microsoft\Windows NT\CurrentVersion\Devices

    Key LastWriteTime
    --- -------------
    CurrentVersion 27.01.2010 13:54:08
    Shell 06.01.2010 14:18:47
    ShellNoRoam 06.01.2010 15:02:40
    Reply to this
  • 2/11/2010 10:38 AM Tim Medin wrote:
    The problem is each value does not have a timestamp, just the key. That means that you can't get the detail you want. It just isn't a feature that Windows provides.

    To get the LastWriteTime of the Devices Key run the command at one key higher.

    Get-RegTimestamp.ps1 HKCU "Software\Microsoft\Windows NT\CurrentVersion"

    Key        LastWriteTime
    ---        -------------
    ...
    Devices    2/11/2010 1:31:22 PM
    ...

    Reply to this
Leave a comment

Submitted comments will be subject to moderation before being displayed.

 Enter the above security code (required)

 Name

 Email (will not be published)

 Website

Your comment is 0 characters limited to 3000 characters.