Does anyone know if NT registry stores the creation time of the key somewhere? Is it exposed via regedt32 or smth like that>
Well, RegQueryInfoKey gives to the time a key or any of its values have been modified. Don't know if the creation time is saved as well (I somehow doubt it).
AFAIK there is no storage of creation time for registry keys, the registry hives have no field for that in the docs, the only cells in a hive are the following, none of which contain a timestamp...
Key cell
Value cell
Subkey-list cell
Value-list cell
Security-descriptor cell
Donkey
Key cell
Value cell
Subkey-list cell
Value-list cell
Security-descriptor cell
Donkey