Execution proofs
A set of forensic artifacts that might help indicates something was run. Unless specified otherwise, a feature applies to all Windows version (post Windows 2000 - there's a limit).
BAM / DAM
Background Activity Moderator - BAM is a Windows service that controls activity of background applications. This service exists in Windows 10 only after Fall Creators update – version 1709, and registers useful information for forensics.
Location
HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
BAM doesn't seem to be available on previous versions
Data available
Full path (key)
Last date of execution (value - little Endian 64bits UTC time of exec)
Parser
Live : BamParser.ps1
Offline :
UserAssist
On a Windows system, every GUI-based programs launched from Explorer are tracked in this registry key. Programs started from the command line are not shown in this registry key.
Location
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
Data available
Full path
Last run time
Run count
The keys are encoded with ROT13.
By default on some Win10 systems
UserAssistwill be disabled. The condition is unknown yet, but if UserAssist is enabled then the following key is set to 1.HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabledSome known GUID :
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}: List of apps, files, links and other objects accessed{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}: List of LNK
Parser
RecentApps
Program execution launched on a Win10 system is tracked in the RecentApps key. Some releases do not include RecentApps.
HKCU\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps
HKCU\Software\Microsoft\Windows\CurrentVersion\Search\JumpListData
Data available
Full path (key)
Last date of execution (value - little Endian 64bits UTC)
Launch count
Some entries have subeys which corresponds to files accessed by the application
Notes
Some testing show that the last execution timestamp doesn't specifically reflect the reality. The timestamps are updated immediately but do no match the actual time of execution (by some hours and minutes).
Parser
ShimCache / AppCompatCache
Windows Application Compatibility database is a feature of Windows - starting from Windows XP used - for forward and backward compatibility. It registers shim-ed executable in a registry key.
An entry in the ShimCache doesn't mean it was executed unless the execution flag is set ! The execution flag is only valid from Windows 7 to Windows 8.1. For Windows 10 and 11, an entry in the ShimCache is not a proof of execution.
Windows shimmes applications visited with Explorer. Even more, it registers the applications that are visible in the explorer Windows.
Location
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
1024 entries before rotation
HKLM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache
96 entries available before rotation
Data available
Full path
File size
$SI Modification date of the executable
Process execution flag (Win 7,8,8.1)
Parsers
Amcache
ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation (starting from Windows 8).
Location
%WinDir%\AppCompat\Programs\AmCache.hve%WinDir%\AppCompat\Programs\appraiser\*
%WinDir%\AppCompat\Programs\AmCache.hve%WinDir%\AppCompat\Programs\Install\*%WinDir%\AppCompat\Programs\AEINV_PREVIOUS.xml%WinDir%\AppCompat\Programs\FullCompatReport.xml
%WinDir%\AppCompat\Programs\RecentFileCache.bcf%WinDir%\AppCompat\Programs\AEINV_PREVIOUS.xml
AmCache doesn't seem to be available on other versions
Data available
The data depends a lot depending on the version. ANSSI made a great article about that.
On the latest versions, here is what is found
Full path of the application
Size of the application
SHA1 of the application
Date of creation and modification
Compilation time (depending on the key)
First Run Time = Last Modification Time of Key
AmCache is a hive, that contains 4 keys
File: contains the GUID of the volumes, with each subkey being a PE with all its dataProgram: concerns all the installed programs which have an entry under\SOFTWARE\Microsoft\Windows\CurrentVersion\(Uninstall|Install)- references subkeys in FileOprhan: concerns files that are not linked to a program. References subkeys in File.
An entry in the AmCache doesn't mean it was executed, except if it's in the Orphan key
The files that are part of a program or that need shimming are saved in AmCache
Parsers
Prefetech
Windows Prefetch files, are designed to speed up the application startup process as well as boot time. The Prefetch files are stored into the path
Location
%windir%\Prefetch
Data available
Prefetch files
Full path
Hash of the path from where the application was run. For certain applications, the command line is included - rundll32 or svchost for instance)
MAC timestamps of the application
Number of executions
Last 8 executions timestamps (Last run only if version < Win 8)
Volume information (path, serial, timestamp)
Files and directory used by the application in its first 10s of execution. This is an upper limit, time might be lower depending on the application.
layout. ini
List of DLL
The creation date of the prefetch file is linked to the first execution of the application. The modication date of the prefetch file is linked to the last execution time. That can help to quickly assess without having to parse the prefetch files.
Prefetch is not enabled by default on the server versions !
Prefetchs can be disabled with the following key :
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher | Superfetcher
0 = Disabled / 1 = Application Prefetch / 2 = Boot Prefetch / 3 = App + Boot (default)
A standard bypass of the prefetch registration is to set this key to 0, run the target application and then set back the key to 3. The modification date of the key would indicate such operation. On Windows 10+, this requires a reboot thus not really useful from an attacker pov.
Parser
SRUM/SRUB
System resource Usage monitor - It monitores the resources consumptions for 30 to 60 days.
Location
%windir%\system32\sru\SRUDB.dat
While running, Windows temporarily stores this data in the SOFTWARE\Microsoft\Windows NT\CurrentVersion\SRUM\Extensions and writes to SRUDB.dat at shutdown.
SRUDB is an ESE Database.
Data available
Full path
Date of analysis by Windows
SID of the user starting the application
Resource information (CPU, Network, etc)
Timestamp corresponding to the time of flush in the ESE db file
Parser
Windows 10 Timeline
Windows Timeline is a feature offered to the users to have an overview of their recent activities.
Location
drive:\Users\<profile>\AppData\Local\ConnectedDevices Platform\L.<profile>\ActivitiesCache.db
Data available
Application name or full path
Username (since it's from the profile)
Activity type (CopyPaste, InFocus, ExecuteOpen, etc)
Start and end time of the activity
Parser
ActivitiesCache.db is SQLite3 db, so any SQlite client will do !
Drive:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\random.cdp contains the settings indicating which data of the timeline is synced to MS. The folder with the <random> name contains the data itself.
Last updated