I didn't know the answer to this before reading your post, so thank you for teaching me something new
I ran the "net user" command under Sysinternals' excellent Regmon tool:http://www.sysinternals.com/utilities/regmon.html
(I also used Filemon but the results weren't edifying at all).
Try it yourself and see if you see something I don't, but it appears to me that the information is being queried (as one might have expected) from the Security Accounts Manager (SAM) portion of the registry at HKLM\SAM\SAM , which is locked by the kernel even from read access for obvious security reasons.
There might be a better way to hack together what you are looking for, if you give me some more information about what you actually want to do. You want to see how long a given user has been logged in for? Or you just want to know when the user last logged in, and out, or what?