Hi Elise Whitethorn,
How is your issue going? Has it been resolved yet? If it has, please consider accepting the answer as it helps others sharing the same problem benefit too. Thank you :)
VPHAN
Inaccurate LastUseTime attribute in Win32_Userprofile CIM class on Windows 10 endpoints
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 57.99999999999999%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEW%3C/text%3E%3C/svg%3E)
Elise Whitethorn
20
Reputation points
Hello,
We are reported with inconsistent telemetry regarding workstation utilization due to a discrepancy in how the operating system tracks account activity. While executing the Get-CimInstance cmdlet to audit the Win32_UserProfile class, we have observed that the LastUseTime timestamp fails to reflect actual recent login events, instead returning stale or erroneous chronological data for every local and domain profile on the machine. We're looking for a technical explanation for this lack of synchronization between the WMI repository and the actual filesystem or registry hive activity, along with a more reliable alternative for determining the true final authentication timestamp on a Windows 10 endpoint. Thank you so much.
Windows for business | Windows 365 Enterprise
Answer accepted by question author
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(275.2, 16%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EV%3C/text%3E%3C/svg%3E)
VPHAN 31,830 Reputation points Independent Advisor2026-05-15T09:10:44.5666667+00:00 -
Elise Whitethorn 20 Reputation points
2026-05-15T09:27:04.94+00:00 Thanks VPHAN for the follow up. Your response explained it clearly and I now have no concern. Apprecicate your response.
Sign in to comment -
1 additional answer
Sort by: Most helpful
-
VPHAN 31,830 Reputation points Independent Advisor
2026-05-13T16:37:06.2466667+00:00 Hi Elise Whitethorn,
The synchronization discrepancy you are experiencing occurs because the Windows User Profile Service updates metadata inside the registry path
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\<SID>whenever a user hive file,NTUSER.DAT, is accessed. TheWin32_UserProfileWMI class reads directly from these registry structures. Because automated system processes like background updates, security scans, or backup agents regularly mount these hives to perform maintenance, they update the modification timestamps without an actual interactive user logon occurring. This architecture makes WMI completely unreliable for tracking physical workstation utilization.To establish an accurate timeline, you must bypass the WMI repository entirely and query the raw auditing data stored within the dedicated security event log file located at
%SystemRoot%\System32\Winevt\Logs\Security.evtx. The definitive method for verifying human interaction is targeting Event ID 4624, which tracks successful account logons. Within this log, you must isolate specific authentication contexts using the Logon Type attribute. You need to focus on Logon Type 2 for physical console logons, Logon Type 7 for workstation unlock events, and Logon Type 10 for Remote Desktop connections. Extracting the latest timestamp bound to these specific logon types filters out background system noise and provides the true, precise utilization data you require.Hope this answer brought you some useful information. If it did, please hit “accept answer”. Should you have any questions, feel free to leave a comment.
VPHAN