Execution proofs

A set of forensic artifacts that might help indicates something was run. Unless specified otherwise, a feature applies to all Windows version (post Windows 2000 - there's a limit).

BAM / DAM

Background Activity Moderator - BAM is a Windows service that controls activity of background applications. This service exists in Windows 10 only after Fall Creators update – version 1709, and registers useful information for forensics.

Location

HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}

HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}

Data available

  • Full path (key)

  • Last date of execution (value - little Endian 64bits UTC time of exec)

Parser

UserAssist

On a Windows system, every GUI-based programs launched from Explorer are tracked in this registry key. Programs started from the command line are not shown in this registry key.

Location

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

Data available

  • Full path

  • Last run time

  • Run count

  • The keys are encoded with ROT13.

  • By default on some Win10 systems UserAssist will be disabled. The condition is unknown yet, but if UserAssist is enabled then the following key is set to 1. HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackEnabled

  • Some known GUID :

    • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} : List of apps, files, links and other objects accessed

    • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} : List of LNK

Parser

RecentApps

Program execution launched on a Win10 system is tracked in the RecentApps key. Some releases do not include RecentApps.

HKCU\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps

HKCU\Software\Microsoft\Windows\CurrentVersion\Search\JumpListData

Data available

  • Full path (key)

  • Last date of execution (value - little Endian 64bits UTC)

  • Launch count

  • Some entries have subeys which corresponds to files accessed by the application

Notes

Some testing show that the last execution timestamp doesn't specifically reflect the reality. The timestamps are updated immediately but do no match the actual time of execution (by some hours and minutes).

Parser

ShimCache / AppCompatCache

Windows Application Compatibility database is a feature of Windows - starting from Windows XP used - for forward and backward compatibility. It registers shim-ed executable in a registry key.

An entry in the ShimCache doesn't mean it was executed unless the execution flag is set ! The execution flag is only valid from Windows 7 to Windows 8.1. For Windows 10 and 11, an entry in the ShimCache is not a proof of execution.

Windows shimmes applications visited with Explorer. Even more, it registers the applications that are visible in the explorer Windows.

Location

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

1024 entries before rotation

Data available

  • Full path

  • File size

  • $SI Modification date of the executable

  • Process execution flag (Win 7,8,8.1)

Parsers

Amcache

ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation (starting from Windows 8).

Location

  • %WinDir%\AppCompat\Programs\AmCache.hve

  • %WinDir%\AppCompat\Programs\appraiser\*

Data available

The data depends a lot depending on the version. ANSSI made a great article about that.

On the latest versions, here is what is found

  • Full path of the application

  • Size of the application

  • SHA1 of the application

  • Date of creation and modification

  • Compilation time (depending on the key)

  • First Run Time = Last Modification Time of Key

  • AmCache is a hive, that contains 4 keys

    • File : contains the GUID of the volumes, with each subkey being a PE with all its data

    • Program : concerns all the installed programs which have an entry under \SOFTWARE\Microsoft\Windows\CurrentVersion\(Uninstall|Install) - references subkeys in File

    • Oprhan : concerns files that are not linked to a program. References subkeys in File.

  • An entry in the AmCache doesn't mean it was executed, except if it's in the Orphan key

  • The files that are part of a program or that need shimming are saved in AmCache

Parsers

Prefetech

Windows Prefetch files, are designed to speed up the application startup process as well as boot time. The Prefetch files are stored into the path

Location

%windir%\Prefetch

Data available

Prefetch files

  • Full path

  • Hash of the path from where the application was run. For certain applications, the command line is included - rundll32 or svchost for instance)

  • MAC timestamps of the application

  • Number of executions

  • Last 8 executions timestamps (Last run only if version < Win 8)

  • Volume information (path, serial, timestamp)

  • Files and directory used by the application in its first 10s of execution. This is an upper limit, time might be lower depending on the application.

layout. ini

  • List of DLL

The creation date of the prefetch file is linked to the first execution of the application. The modication date of the prefetch file is linked to the last execution time. That can help to quickly assess without having to parse the prefetch files.

Prefetch is not enabled by default on the server versions !

Prefetchs can be disabled with the following key : HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher | Superfetcher

0 = Disabled / 1 = Application Prefetch / 2 = Boot Prefetch / 3 = App + Boot (default)

A standard bypass of the prefetch registration is to set this key to 0, run the target application and then set back the key to 3. The modification date of the key would indicate such operation. On Windows 10+, this requires a reboot thus not really useful from an attacker pov.

Parser

SRUM/SRUB

System resource Usage monitor - It monitores the resources consumptions for 30 to 60 days.

Location

%windir%\system32\sru\SRUDB.dat

While running, Windows temporarily stores this data in the SOFTWARE\Microsoft\Windows NT\CurrentVersion\SRUM\Extensions and writes to SRUDB.dat at shutdown.

SRUDB is an ESE Database.

Data available

  • Full path

  • Date of analysis by Windows

  • SID of the user starting the application

  • Resource information (CPU, Network, etc)

  • Timestamp corresponding to the time of flush in the ESE db file

Parser

Windows 10 Timeline

Windows Timeline is a feature offered to the users to have an overview of their recent activities.

Location

drive:\Users\<profile>\AppData\Local\ConnectedDevices Platform\L.<profile>\ActivitiesCache.db

Data available

  • Application name or full path

  • Username (since it's from the profile)

  • Activity type (CopyPaste, InFocus, ExecuteOpen, etc)

  • Start and end time of the activity

Parser

ActivitiesCache.db is SQLite3 db, so any SQlite client will do !

Drive:\Users\<profile>\AppData\Local\ConnectedDevicesPlatform\random.cdp contains the settings indicating which data of the timeline is synced to MS. The folder with the <random> name contains the data itself.

PreviousDBFIRNextPersistence

Last updated

Was this helpful?