QUESTION :
Is there any sort of date tracking that is done or viewable in the Windows registry, such as seeing the date when X key was created, or Y key was modified, similar to how file systems track?
I’m trying to find changes that were made to specific areas of the registry during certain date ranges, and it would be fantastic if there was a way to work with date data.
ANSWER :
Registry keys have a last-modified timestamp. You can use Regedit to export a key,
selecting the “.txt” output format. That text file will contain the last modified
date&time.
NirSoft’s RegScanner utility allows one to filter selected registry keys by
ranges of the last-modified timestamp.
There are a number of forensics-related scripts online that can help accomplish this. If you know the key(s) and there’s a reasonable number, you can also export them to a .txt file in the registry editor. The LastWrite date/time will be there.