Artefacts overview

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: artefacts.help.

General

Name Type Description Information / interpretation Location Tool(s)

Name	Type	Description	Information / interpretation	Location	Tool(s)
`Event Tracing`	General	Overall system usage: Accounts authentication successes and failures, local accounts and groups management, Windows Services or scheduled tasks operations, PowerShell activity, etc. Various events of forensic interest across multiple providers are referenced in the present overview.	`Event Tracing` is broken into three distinct components: - `Controllers`: start and stop an event `tracing session` and enable `providers`. - `Providers`: provide the events. - `Consumers`: consume the events in real time. Events can eventually be written to event log `channels` (assimilable to the log file names), `event tracing` log files, or both. The provider itself defines the event log `channel(s)` to which events should be written (trough its "instrumentation manifest" for manifested-based providers). Providers can define new `channels` or import existing `channels`. While the provider may use different `channels` for different events, each event can only be written to a single `channel` (as specified in the event's `event element` in the instrumentation manifest). If no `channel` is defined for a given event, the event will not be written to an event log channel, but can still be consumed (in memory) by a consumer through a `trace session`. Event `trace sessions` record events by subscribing to one or more `providers` and may write to a log file. Events can only be written to one `channel` at a time, but can also be collected by up to 7 `trace sessions`. `Security`, `System`, and `Application` are legacy `channels`. Only the `LSASS` process can write to the `Security` channel. Four types of channels are supported: `Admin`, `Operational`, `Analytic`, and `Debug`. `Provider` example: `Microsoft-Windows-TerminalServices-RemoteConnectionManager`. Associated `channel` example: `Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational`.	Default location for `EVTX` files: `%SystemRoot%\System32\winevt\Logs\` Lists the system's provider: `logman.exe query providers` Retrieves information about a provider, including its channel and the process sending events to it: `logman.exe query providers "<PROVIDER_NAME>"` Lists the providers the specified process emit evnets to: `logman query providers -pid <PID>` List the available `channels` and their associated event counts: `Get-WinEvent -ListLog `	Tools for analyzing `EVTX` files: - `Event Viewer`: Windows built-in `GUI` events viewer utility. - `Event Log Explorer`: Proprietary `GUI` events viewer utility. - `LogParser`: to conduct `SQL`-like queries on `EVTX files`. Notable `KAPE` modules available that leverage `LogParser`: `LogParser_LogonLogoffEvents`, `LogParser_RDPUsageEvents`, and `LogParser_DetailedNetworkShareAccess`. - `Winlogbeat`: to parse `EVTX` into JSON or to ship them to `ELK`. - `EvtxECmd`: Utility to parse `EVTX` into CSV, JSON, or XML outputs (without doing a per fields extract however). - `Chainsaw`: Rust utility to parse and extract key information from `EVTX` files (notably with the use of `Sigma` rules). - `Hayabusa`: Rust utility to parse and extract key information from `EVTX` files in the form of a timeline (notably with the use of `Sigma` rules). `Velociraptor`: with modules dedicated to event logs analysis (such as `Windows.EventLogs.CondensedAccountUsage`, `Windows.EventLogs.Chainsaw`, `Windows.EventLogs.Hayabusa`, etc.).
Registry hives	General	Registry hives are system-wide or per users hierarchical databases used by the Windows operating system, and third-party applications, to store information. A registry hive is a group of keys, subkeys, and values in the registry, with supporting file(s) on disk. Registry hives are loaded in memory upon system boot or user logon from their associated files on disk. Before being written / committed to a file on disk, registry modifications can be written to `Registry Transaction logs` (notably if the hives cannot be written to directly due to locking). `Transaction logs` are files named, and stored in the same directory, as their corresponding registry hives. Such as `SYSTEM.LOG1` and `SYSTEM.LOG2` for the `SYSTEM` registry file.	The system-wide registry hives are stored in the `HKEY_LOCAL_MACHINE` (`HKLM`) hive. The following notable system-wide root keys are defined: `HKEY_LOCAL_MACHINE\SYSTEM` File on disk: `%SystemRoot%\System32\config\SYSTEM`. `HKEY_LOCAL_MACHINE\SOFTWARE` File on disk: `%SystemRoot%\System32\config\SOFTWARE`. `HKEY_LOCAL_MACHINE\SECURITY` File on disk: `%SystemRoot%\System32\config\SECURITY`. `HKEY_LOCAL_MACHINE\SAM` File on disk: `%SystemRoot%\System32\config\SAM`. `HKEY_USERS` Contains all the actively loaded user profile registry hives on the computer. The `.DEFAULT` key is populated from the `%SystemRoot%\Users\Default\NTUSER.DAT` file. File on disk: users' `NTUSER.dat` and `UsrClass.dat` files (of logon users). The `SYSTEM`, `SOFTWARE`, `SECURITY`, and `SAM` registry hives used to be backed up periodically (every 10 days by default) under the `%SystemRoot%\System32\config\RegBack` folder by the `RegIdleBackup` scheduled task. Starting with the Windows 10 operating system, this mechanism is no longer in use and no registry hive backups are stored under the `RegBack` folder. The user specific registry information are stored in the `HKEY_CURRENT_USER` (`HKCU`) root key. `HKEY_CURRENT_USER` File on disk `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` `HKEY_CURRENT_USER\SOFTWARE\Classes` File on disk `%SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat` `HKEY_CLASSES_ROOT` Define the programs and file extensions association. Mapped to the keys `HKEY_LOCAL_MACHINE\SOFTWARE\Classes`, for default settings, and `HKEY_CURRENT_USER\SOFTWARE\Classes`, for user specific settings that override the default settings.	-	`RegistryExplorer` `RECmd` `RegRipper`

Event Tracing

General

Overall system usage: Accounts authentication successes and failures, local accounts and groups management, Windows Services or scheduled tasks operations, PowerShell activity, etc. Various events of forensic interest across multiple providers are referenced in the present overview.

Event Tracing is broken into three distinct components: - Controllers: start and stop an event tracing session and enable providers. - Providers: provide the events. - Consumers: consume the events in real time. Events can eventually be written to event log channels (assimilable to the log file names), event tracing log files, or both. The provider itself defines the event log channel(s) to which events should be written (trough its "instrumentation manifest" for manifested-based providers). Providers can define new channels or import existing channels. While the provider may use different channels for different events, each event can only be written to a single channel (as specified in the event's event element in the instrumentation manifest). If no channel is defined for a given event, the event will not be written to an event log channel, but can still be consumed (in memory) by a consumer through a trace session. Event trace sessions record events by subscribing to one or more providers and may write to a log file. Events can only be written to one channel at a time, but can also be collected by up to 7 trace sessions. Security, System, and Application are legacy channels. Only the LSASS process can write to the Security channel. Four types of channels are supported: Admin, Operational, Analytic, and Debug. Provider example: Microsoft-Windows-TerminalServices-RemoteConnectionManager. Associated channel example: Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational.

Default location for EVTX files: %SystemRoot%\System32\winevt\Logs\* Lists the system's provider: logman.exe query providers Retrieves information about a provider, including its channel and the process sending events to it: logman.exe query providers "<PROVIDER_NAME>" Lists the providers the specified process emit evnets to: logman query providers -pid <PID> List the available channels and their associated event counts: Get-WinEvent -ListLog *

Tools for analyzing EVTX files: - Event Viewer: Windows built-in GUI events viewer utility. - Event Log Explorer: Proprietary GUI events viewer utility. - LogParser: to conduct SQL-like queries on EVTX files. Notable KAPE modules available that leverage LogParser: LogParser_LogonLogoffEvents, LogParser_RDPUsageEvents, and LogParser_DetailedNetworkShareAccess. - Winlogbeat: to parse EVTX into JSON or to ship them to ELK. - EvtxECmd: Utility to parse EVTX into CSV, JSON, or XML outputs (without doing a per fields extract however). - Chainsaw: Rust utility to parse and extract key information from EVTX files (notably with the use of Sigma rules). - Hayabusa: Rust utility to parse and extract key information from EVTX files in the form of a timeline (notably with the use of Sigma rules). Velociraptor: with modules dedicated to event logs analysis (such as Windows.EventLogs.CondensedAccountUsage, Windows.EventLogs.Chainsaw, Windows.EventLogs.Hayabusa, etc.).

Registry hives

General

Registry hives are system-wide or per users hierarchical databases used by the Windows operating system, and third-party applications, to store information. A registry hive is a group of keys, subkeys, and values in the registry, with supporting file(s) on disk. Registry hives are loaded in memory upon system boot or user logon from their associated files on disk. Before being written / committed to a file on disk, registry modifications can be written to Registry Transaction logs (notably if the hives cannot be written to directly due to locking). Transaction logs are files named, and stored in the same directory, as their corresponding registry hives. Such as SYSTEM.LOG1 and SYSTEM.LOG2 for the SYSTEM registry file.

The system-wide registry hives are stored in the HKEY_LOCAL_MACHINE (HKLM) hive. The following notable system-wide root keys are defined: HKEY_LOCAL_MACHINE\SYSTEM File on disk: %SystemRoot%\System32\config\SYSTEM. HKEY_LOCAL_MACHINE\SOFTWARE File on disk: %SystemRoot%\System32\config\SOFTWARE. HKEY_LOCAL_MACHINE\SECURITY File on disk: %SystemRoot%\System32\config\SECURITY. HKEY_LOCAL_MACHINE\SAM File on disk: %SystemRoot%\System32\config\SAM. HKEY_USERS Contains all the actively loaded user profile registry hives on the computer. The .DEFAULT key is populated from the %SystemRoot%\Users\Default\NTUSER.DAT file. File on disk: users' NTUSER.dat and UsrClass.dat files (of logon users). The SYSTEM, SOFTWARE, SECURITY, and SAM registry hives used to be backed up periodically (every 10 days by default) under the %SystemRoot%\System32\config\RegBack folder by the RegIdleBackup scheduled task. Starting with the Windows 10 operating system, this mechanism is no longer in use and no registry hive backups are stored under the RegBack folder. The user specific registry information are stored in the HKEY_CURRENT_USER (HKCU) root key. HKEY_CURRENT_USER File on disk %SystemDrive%:\Users\<USERNAME>\NTUSER.dat HKEY_CURRENT_USER\SOFTWARE\Classes File on disk %SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat HKEY_CLASSES_ROOT Define the programs and file extensions association. Mapped to the keys HKEY_LOCAL_MACHINE\SOFTWARE\Classes, for default settings, and HKEY_CURRENT_USER\SOFTWARE\Classes, for user specific settings that override the default settings.

RegistryExplorer RECmd RegRipper

System information

Name Type Description Information / interpretation Location Tool(s)

Name	Type	Description	Information / interpretation	Location
`HKLM\SYSTEM` - `ComputerName`	System information	Name of the computer.	-	File: `%SystemRoot%\System32\config\SYSTEM` Registry key: `HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName`
`HKLM\SOFTWARE` - `CurrentVersion` (`ProductName` value)	System information	Version and Service pack number of the Windows operting system.	-	File: `%SystemRoot%\System32\config\SOFTWARE` Registry key: `HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion`
`HKLM\SYSTEM` - Security `Policy`	System information	Basic information on the system: - Computer name and `SID`. - Computer's domain and domain `SID` (for domain-joined hosts).	Registry keys under `HKLM\SECURITY\Policy`: - `PolAcDmN`: computer name - `PolAcDmS`: computer `SID` - `PolDnDDN`: computer's domain name - `PolPrDmS`: computer's domain `SID`	File: `%SystemRoot%\System32\config\SECURITY`
`HKLM\SYSTEM` - `TimeZoneInformation`	System information	Time zone information.	-	File: `%SystemRoot%\System32\config\SYSTEM` Registry key: `HKLM\System\CurrentControlSet\Control\TimeZoneInformation`
`HKLM\SYSTEM` - `Select`	System information	`ControlSet` information for the `CurrentControlSet`, `ControlSet002`, ... registry keys: - Current `ControlSet` pointed by the `CurrentControlSet` key. - Last known good `ControlSet`.	-	File: `%SystemRoot%\System32\config\SYSTEM` Registry key: `HKLM\SYSTEM\Select`
`HKLM\SYSTEM` - Network interfaces (`Interfaces`)	System information	Basic information about network interfaces (interface name, associated IP address, default gateway, and DHCP lease and eventual domain). Additional network information is available in the `NetworkList` registry key.	-	File: `%SystemRoot%\System32\config\SYSTEM` Registry keys: `HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*`
`HKLM\SYSTEM` - `LanmanServer\Shares`	System information	Network SMB shares hosted by the system.	Each network share is associated with a `REG_MULTI_SZ` value. The value is named from the network share name. The share name is also defined in the `ShareName` field of the registry value's data. The share path on disk is defined in the in the `Path` field of the registry value's data.	File: `%SystemRoot%\System32\config\SYSTEM` Registry key: `HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares`
`HKLM\SYSTEM` - `FirewallPolicy`	System information	Windows local Firewall profiles (Public, Private, and Domain) status and configured rules.	-	File: `%SystemRoot%\System32\config\SYSTEM` Registry key: `HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\*`
`HKLM\SOFTWARE` / `NTUSER` - Installed applications (`App Paths`)	System information	Applications installed on the system, on a system-wide or per user basis. The entries are mainly used by the Windows operating system for two purposes: - Mapping an application file name to its executable full path. - Pre-pending information to the `PATH` environment variable on a per-application and per-process basis.	Applications installed system-wide have their information written in the `HKLM\SOFTWARE` registry hive, while applications installed per user have their information written in the user `NTUSER` hive. For each installed application the following notable information is available: - File name and full file path of the application executable. - Timestamp of installation.	For system-wide applications: File: `%SystemRoot%\System32\config\SOFTWARE` Registry key: `Microsoft\Windows\CurrentVersion\App Paths` For per-user applications: File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths`
`HKLM\SOFTWARE` / `NTUSER` - `Uninstall`	System information	Applications installed on the system, on a system-wide or per user basis, as displayed in the "Add or remove programs" of the Windows Control Panel / Settings.	Applications installed system-wide have their information written in the `HKLM\SOFTWARE` registry hive, while applications installed per user have their information written in the user `NTUSER` hive. Each application installation data is defined in a dedicated subkey under `Uninstall`, identified by the application name. For each installed application the following notable information is available: - The application name. - The application installation location, display icon (often based directly on the application main executable, thus giving the full path of the application main program), full path of the uninstaller. - The date of the installation. The last write timestamp of the registry key can also be an indicator of when the application was installed (with better precision). - The size of the applicationn. - Various metadata on the application (provided by the application installer itself): version, publisher, ...	For system-wide applications: File: `%SystemRoot%\System32\config\SOFTWARE` Registry key: `Microsoft\Windows\CurrentVersion\Uninstall` For per-user applications: File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall`
`HKLM\SYSTEM` - Installed services (`Services`)	System information	Windows services installed on the system. For more information: local persistence note.	Each service configuration is defined in a dedicated subkey under `Services`, identified by the service name. For each services, the following notable information is available (under the service name root key): - Service name and display name. - Services image path. - The service type: `0x1`: Kernel driver `0x2` / `0x8`: file system driver `0x10`: standard Windows service that runs in a process by itself `0x20`: Windows service that can share a process with other services. `0x50`: "USER_OWN_PROCESS TEMPLATE" `0x60`: "USER_SHARE_PROCESS TEMPLATE" `0x110`: like `0x10` but can interact with users. `0x120`: like `0x20` but can interact with users. - The service start mode: `0x0`: "Boot Start" `0x01`: "System Start" `0x02`: "Auto Start" `0x03`: "Manual" `0x04`: "Disabled" - The Windows specific privileges required by the service (`SeImpersonatePrivilege`, `SeDebugPrivilege`, etc.). No privileges can be set, for exemple if the service runs as `NT AUTHORITY\SYSEM`. The last write timestamp of the service name root key can be an indicator of when the specific service configuration was last modified.	File: `%SystemRoot%\System32\config\SYSTEM` Registry key: `HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>`
`HKLM\SOFTWARE` - Configured scheduled tasks (`Schedule\Taskcache`)	System information	Scheduled tasks configured on the system as stored in the registry. For more information: local persistence note.	Each scheduled task configuration is defined in a dedicated subkey under `Schedule\Taskcache\Tasks`, identified by the task GUID. For each tasks, the following notable information is available (under the task GUID root key): - The task path. - Some lifecycle timestamps of the task: created on, last start, and last stop. - The task security descriptor (in `SDDL` notation). - The task trigger(s) and action(s) in binary, non human readable format. The mapping between a task name and its GUID can be done using the subkeys of the `Schedule\Taskcache\Tree` keys.	File: `%SystemRoot%\System32\config\SOFTWARE` Registry keys: `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks` `HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree`
Configured scheduled tasks (`Tasks` folder)	System information	Scheduled tasks configured on the system, as stored in tasks `XML` files. For more information: local persistence note.	Each scheduled task configuration is defined in a `XML` file, eventually in an intermediate subfolder, under the `Tasks` folder. For each tasks, the following notable information is available: - The task name and GUID, in the task filename itself. - The task description. - The task trigger(s) and action(s) (executable / command to be executed and its parameters for instance) in human readable format. - The task status (enabled / disabled). - The additional parameters of the task (wake to run, execution timeout, ...).	`Windows XP` / `Windows Server 2003` (`Task Scheduler 1.0`): `%SystemRoot%\Windows\Tasks` Starting from `Windows 7` / `Windows Server 2008` (`Task Scheduler 2.0`): `%SystemRoot%\Windows\System32\Tasks`

HKLM\SYSTEM - ComputerName

System information

Name of the computer.

File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName

HKLM\SOFTWARE - CurrentVersion (ProductName value)

System information

Version and Service pack number of the Windows operting system.

File: %SystemRoot%\System32\config\SOFTWARE Registry key: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion

HKLM\SYSTEM - Security Policy

System information

Basic information on the system: - Computer name and SID. - Computer's domain and domain SID (for domain-joined hosts).

Registry keys under HKLM\SECURITY\Policy: - PolAcDmN: computer name - PolAcDmS: computer SID - PolDnDDN: computer's domain name - PolPrDmS: computer's domain SID

File: %SystemRoot%\System32\config\SECURITY

HKLM\SYSTEM - TimeZoneInformation

System information

Time zone information.

File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\System\CurrentControlSet\Control\TimeZoneInformation

HKLM\SYSTEM - Select

System information

ControlSet information for the CurrentControlSet, ControlSet002, ... registry keys: - Current ControlSet pointed by the CurrentControlSet key. - Last known good ControlSet.

File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\Select

HKLM\SYSTEM - Network interfaces (Interfaces)

System information

Basic information about network interfaces (interface name, associated IP address, default gateway, and DHCP lease and eventual domain). Additional network information is available in the NetworkList registry key.

File: %SystemRoot%\System32\config\SYSTEM Registry keys: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\*

HKLM\SYSTEM - LanmanServer\Shares

System information

Network SMB shares hosted by the system.

Each network share is associated with a REG_MULTI_SZ value. The value is named from the network share name. The share name is also defined in the ShareName field of the registry value's data. The share path on disk is defined in the in the Path field of the registry value's data.

File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

HKLM\SYSTEM - FirewallPolicy

System information

Windows local Firewall profiles (Public, Private, and Domain) status and configured rules.

File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\*

HKLM\SOFTWARE / NTUSER - Installed applications (App Paths)

System information

Applications installed on the system, on a system-wide or per user basis. The entries are mainly used by the Windows operating system for two purposes: - Mapping an application file name to its executable full path. - Pre-pending information to the PATH environment variable on a per-application and per-process basis.

Applications installed system-wide have their information written in the HKLM\SOFTWARE registry hive, while applications installed per user have their information written in the user NTUSER hive. For each installed application the following notable information is available: - File name and full file path of the application executable. - Timestamp of installation.

For system-wide applications: File: %SystemRoot%\System32\config\SOFTWARE Registry key: Microsoft\Windows\CurrentVersion\App Paths For per-user applications: File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\App Paths

HKLM\SOFTWARE / NTUSER - Uninstall

System information

Applications installed on the system, on a system-wide or per user basis, as displayed in the "Add or remove programs" of the Windows Control Panel / Settings.

Applications installed system-wide have their information written in the HKLM\SOFTWARE registry hive, while applications installed per user have their information written in the user NTUSER hive. Each application installation data is defined in a dedicated subkey under Uninstall, identified by the application name. For each installed application the following notable information is available: - The application name. - The application installation location, display icon (often based directly on the application main executable, thus giving the full path of the application main program), full path of the uninstaller. - The date of the installation. The last write timestamp of the registry key can also be an indicator of when the application was installed (with better precision). - The size of the applicationn. - Various metadata on the application (provided by the application installer itself): version, publisher, ...

For system-wide applications: File: %SystemRoot%\System32\config\SOFTWARE Registry key: Microsoft\Windows\CurrentVersion\Uninstall For per-user applications: File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall

HKLM\SYSTEM - Installed services (Services)

System information

Windows services installed on the system. For more information: local persistence note.

Each service configuration is defined in a dedicated subkey under Services, identified by the service name. For each services, the following notable information is available (under the service name root key): - Service name and display name. - Services image path. - The service type: 0x1: Kernel driver 0x2 / 0x8: file system driver 0x10: standard Windows service that runs in a process by itself 0x20: Windows service that can share a process with other services. 0x50: "USER_OWN_PROCESS TEMPLATE" 0x60: "USER_SHARE_PROCESS TEMPLATE" 0x110: like 0x10 but can interact with users. 0x120: like 0x20 but can interact with users. - The service start mode: 0x0: "Boot Start" 0x01: "System Start" 0x02: "Auto Start" 0x03: "Manual" 0x04: "Disabled" - The Windows specific privileges required by the service (SeImpersonatePrivilege, SeDebugPrivilege, etc.). No privileges can be set, for exemple if the service runs as NT AUTHORITY\SYSEM. The last write timestamp of the service name root key can be an indicator of when the specific service configuration was last modified.

File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>

HKLM\SOFTWARE - Configured scheduled tasks (Schedule\Taskcache)

System information

Scheduled tasks configured on the system as stored in the registry. For more information: local persistence note.

Each scheduled task configuration is defined in a dedicated subkey under Schedule\Taskcache\Tasks, identified by the task GUID. For each tasks, the following notable information is available (under the task GUID root key): - The task path. - Some lifecycle timestamps of the task: created on, last start, and last stop. - The task security descriptor (in SDDL notation). - The task trigger(s) and action(s) in binary, non human readable format. The mapping between a task name and its GUID can be done using the subkeys of the Schedule\Taskcache\Tree keys.

File: %SystemRoot%\System32\config\SOFTWARE Registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree

Configured scheduled tasks (Tasks folder)

System information

Scheduled tasks configured on the system, as stored in tasks XML files. For more information: local persistence note.

Each scheduled task configuration is defined in a XML file, eventually in an intermediate subfolder, under the Tasks folder. For each tasks, the following notable information is available: - The task name and GUID, in the task filename itself. - The task description. - The task trigger(s) and action(s) (executable / command to be executed and its parameters for instance) in human readable format. - The task status (enabled / disabled). - The additional parameters of the task (wake to run, execution timeout, ...).

Windows XP / Windows Server 2003 (Task Scheduler 1.0): %SystemRoot%\Windows\Tasks Starting from Windows 7 / Windows Server 2008 (Task Scheduler 2.0): %SystemRoot%\Windows\System32\Tasks

Filesystem

Name Type Description Information / interpretation Location Tool(s)

Name	Type	Description	Information / interpretation	Location	Tool(s)
`MFT`	Filesystem	The `MFT`, filename `$MFT`, is the main element of any `NTFS` partition. The `MFT` contains an entry for all existing files written on the partition. Deleted files that were once written on the partition may also still (temporally) have a record in the `MFT`. The Partition Boot Sector `$Boot` metadata file, which starts at sector 0 and can be up to 16 sectors long, describes the basic `NTFS` volume information and indicates the location of the `$MFT`. The `$MFTMirr` file is statically-located as the first entry in the `MFT` and contains the first 4 entries of the `MFT` (`MFT`, `$MFTMir`, `$LogFile`, and `$Volume`) as a recovery mechanism. The `$Bitmap` file tracks the allocation status (allocated or unused) of the clusters of the volume. Each cluster is associated with a bit, set to `0x1` if the cluster is in use. Upon deletion of a non resident file, the `$Bitmap` file is updated to tag the cluster(s) associated with the file as free. The clusters are not overwritten during the deletion process, and the file data can thus be carved as long as the cluster(s) are not re-used. For more information: `MFT` note.	Each file on an `NTFS` volume is represented in the `MFT` in a file record. Small files and directories (typically 512 bytes or smaller), can be entirely contained within their associated `MFT` file record. These files are called `resident files`. Files larger than . Directory records are stored within the master file table just like file records. Instead of data, directories contain index information. A file record (`FILE0` data structure) notably includes: - The filename. - The file size. - The file unique (under the `NTFS` volume) `Security ID` in the `$STANDARD_INFORMATION` attribute. - Two or three set of timestamps: > The file creation, last modified, last accessed, last changed `SI` timestamps (`MACB`) in the `$STANDARD_INFORMATION` attribute. > The file creation, last modified, last accessed, last changed `FN` timestamps (`MACB`) in the `$FILE_NAME` attribute. Two sets of `$FILE_NAME` timestamps will be available for files with a short (`DOS`) and long filenames. > For more information on Windows timestamps: Windows timestamps note. - File access permissions. - One or multiple `DATA` attribute, that either contain the file data for `resident file` or reference the clusters of disk space where the file is stored for `nonresident file`. - Whether the `file record` is in use. When a file is deleted from the volume, its associated `MFT` `file record` is set as no longer in use, but is not directly deleted during the file deletion process. Metadata information, and content for `MFT` resident files, can thus be retrieved for recently deleted files (as long as the `file record` is not overwritten by a new entry).	`%SystemDrive%:\$MFT`	`MFTECmd.exe`
`$Secure`	Filesystem	The `$Secure` file contains the `security descriptor` for all the files and folders on a `NTFS` volume. The `security descriptors` are stored within the `$SDS` named data stream of the `$Secure` file. The `$Secure` file additionally defines two other named streams (`$SDH` and `$SII`) for lookup in the `$SDS` stream.	Each file or folder is referenced in the `$Secure` file with its volume-unique `Security ID` and `security descriptor`. The `Security ID` of the file is referenced in the `MFT` file record associated with the file (in the `$STANDARD_INFORMATION` attribute). While no metadata information are present in the `$Secure` file (only the file's `security descriptor`), the file's `Security ID` can be used to map the file's information / data from the `MFT` to its `security descriptor` in the `$Secure` file. The `security descriptor` (`SECURITY_DESCRIPTOR` data structure) references: - The owner of the file (as a pointer to a `SID` structure). - The access rights to the file in the `Discretionary Access Control List (DACL)` attribute. - The audit rights that control how access is audited (which access will generate events) in the `System Access Control List (SACL)` attribute.	`$Secure`	`Secure2Csv`
`NTFS index attributes` (`$I30`)	Filesystem	The `NTFS` `index attributes` are `MFT` attributes, of two distincts types, that index all the files / directories in a given directory (in a B-Tree data structure). Each directory contains one or more `index attributes`. The files and folders information displayed by the `Windows Explorer` are based on the index attribute(s) of the directory being accessed. The entries (files or subdirectories) in a directory's `index attribute(s)` are stored as `index records` structures, with one dedicated record for every entry. The `index record` structure contains a `$FILE_NAME` (`0x30`) attribute, in which are stored the information about the file or folder. There is two types of `index attributes`: - `$INDEX_ROOT`: for directories with a small number of entries. The `$INDEX_ROOT` attribute is always resident to the `MFT` and contains a small list of `index records`. A directory has at most one `$INDEX_ROOT` attribute. - `$INDEX_ALLOCATION`: additional structure for larger directories, with no limitation on the number of entries. The `$INDEX_ALLOCATION` attribute is non-resident and contains one or more `index records`. The `INDEX_ALLOCATION` structure starts with the `INDX` signature. The `$INDEX_ALLOCATION` attribute should not exist without an associated `$INDEX_ROOT` attribute. The `$Bitmap` attribute keep track of the index allocations. The `$INDEX_ROOT`, `$INDEX_ALLOCATION`, and `$Bitmap` attributes are collectively refered to as `$I30`.	Each `index record` contains information on the file it references in a `$FILE_NAME` (`0x30`) attribute: - Filename and parent directory. - File size. - A set of `MACB` timestamps. The `$FILE_NAME` attribute of a `index record` in a directory `index attribute` should be kept in sync with the `MFT` file record's `$STANDARD_INFORMATION` attribute of the corresponding entry. However, disparities may sometime occur, with the `index record` referencing older information. Due to their B-Tree data structure format and their frequent rebalancing, `$INDEX_ALLOCATION` attributes often contain a significant amount of slack space. `Index records` for deleted files no longer present in the `MFT` may be carvable from this slack space.	`MFT`'s `$INDEX_ROOT`, `$INDEX_ALLOCATION`, and `$Bitmap` attributes.	`MFTECmd.exe` `INDXRipper`
`$LogFile`	Filesystem	The `$LogFile` is part of a journaling feature of `NTFS`, activated by default, which maintains a low-level record of changes made to the `NTFS` volume. Every disk operation is journalized prior to being committed. In case of failure, such as a crash during an update, the `$LogFile` can be used to revert disk operations.	As low-level operations are journalized, the `$LogFile` contains very limited historical data, usually only of the last few hours at most.	`$LogFile`
`UsnJrnl`	Filesystem	The `UsnJrnl` is part of a journaling feature of `NTFS`, activated by default on Vista and later, which maintains a record of changes made to the `NTFS` volume. The creation, deletion or modification of files or directories are, among other operations, journalized.	The records in the `UsnJrnl` are progressively overwritten once the max size of the journal has been reached. The `UsnJrnl` usually contains historical data on the last few days (1-3 days for system full time use, < 7 days for regular system use). The `UsnJrnl` is composed of two named data streams: - The `$Max` stream stores the meta data of the change. - The `$J` stream stores the actual change log records. Each change log record is notably composed of: - an `Update Sequence Number (USN)`. - The timestamp of the change. - The reason / operation of the record (`USN_REASON_FILE_CREATE`, `USN_REASON_FILE_DELETE`, `USN_REASON_DATA_OVERWRITE`, `USN_REASON_RENAME_NEW_NAME`, etc.). - MFT reference and reference sequence number.	`$Max` and `$J` named data streams under `\$Extend\$UsnJrnl`	`MFTECmd.exe`
`Windows Search` database	Filesystem	The `Windows Search` database provides an index to the Windows Search feature to improve search speed by indexing content. The Windows Search index is used for searches made through Windows taskbar, the Windows Explorer, and some `Universal Windows Platform (UWP)` applications (such as Outlook, OneDrive, etc.). By default, only a subset of folders and files are indexed (to reduce the Windows Search database size and CPU usage). The folders scanned and number of items indexed can be consulted in the "Windows search settings" menu.	By default, only items from the following sources are scanned and indexed: - Files and folders from the Users folders. > Data available: file name, path, size, attributes, `MAC` timestamps. For small file, part of the content of the file may be indexed as well. - Outlook mail data (with timestamp of reception, possible mail content). - OneNote notes title. - Internet explorer history (URLs, timestamp of last visit).	Windows XP: `%SystemDrive%:\Documents and Settings\All user\Application Data\Microsoft\Search\Data\Application\Windows\Windows.edb` Starting from Windows 7: `%SystemDrive%:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb`
`Recycle Bin`	Filesystem (Deleted files)	Deleted files and folders (if deleted through a recycle bin aware application).	The deleted files are placed in a subfolder (under `%SystemDrive%:\$Recycle.Bin`) named after the `SID` of the user that performed the deletion. Deleted files can thus be associated with a given user. Two kind of files are present in the `Recycle Bin`: - `$I` (for "Information") files, which contain the path and timestamp of deletion of the original file. - `$R` (for "Resource") files, which contain the original file content.	`%SystemDrive%:\$Recycle.Bin\<USER_SID>\*`

MFT

Filesystem

The MFT, filename $MFT, is the main element of any NTFS partition. The MFT contains an entry for all existing files written on the partition. Deleted files that were once written on the partition may also still (temporally) have a record in the MFT. The Partition Boot Sector $Boot metadata file, which starts at sector 0 and can be up to 16 sectors long, describes the basic NTFS volume information and indicates the location of the $MFT. The $MFTMirr file is statically-located as the first entry in the MFT and contains the first 4 entries of the MFT (MFT, $MFTMir, $LogFile, and $Volume) as a recovery mechanism. The $Bitmap file tracks the allocation status (allocated or unused) of the clusters of the volume. Each cluster is associated with a bit, set to 0x1 if the cluster is in use. Upon deletion of a non resident file, the $Bitmap file is updated to tag the cluster(s) associated with the file as free. The clusters are not overwritten during the deletion process, and the file data can thus be carved as long as the cluster(s) are not re-used. For more information: MFT note.

Each file on an NTFS volume is represented in the MFT in a file record. Small files and directories (typically 512 bytes or smaller), can be entirely contained within their associated MFT file record. These files are called resident files. Files larger than . Directory records are stored within the master file table just like file records. Instead of data, directories contain index information. A file record (FILE0 data structure) notably includes: - The filename. - The file size. - The file unique (under the NTFS volume) Security ID in the $STANDARD_INFORMATION attribute. - Two or three set of timestamps: > The file creation, last modified, last accessed, last changed SI timestamps (MACB) in the $STANDARD_INFORMATION attribute. > The file creation, last modified, last accessed, last changed FN timestamps (MACB) in the $FILE_NAME attribute. Two sets of $FILE_NAME timestamps will be available for files with a short (DOS) and long filenames. > For more information on Windows timestamps: Windows timestamps note. - File access permissions. - One or multiple DATA attribute, that either contain the file data for resident file or reference the clusters of disk space where the file is stored for nonresident file. - Whether the file record is in use. When a file is deleted from the volume, its associated MFT file record is set as no longer in use, but is not directly deleted during the file deletion process. Metadata information, and content for MFT resident files, can thus be retrieved for recently deleted files (as long as the file record is not overwritten by a new entry).

%SystemDrive%:\$MFT

MFTECmd.exe

$Secure

Filesystem

The $Secure file contains the security descriptor for all the files and folders on a NTFS volume. The security descriptors are stored within the $SDS named data stream of the $Secure file. The $Secure file additionally defines two other named streams ($SDH and $SII) for lookup in the $SDS stream.

Each file or folder is referenced in the $Secure file with its volume-unique Security ID and security descriptor. The Security ID of the file is referenced in the MFT file record associated with the file (in the $STANDARD_INFORMATION attribute). While no metadata information are present in the $Secure file (only the file's security descriptor), the file's Security ID can be used to map the file's information / data from the MFT to its security descriptor in the $Secure file. The security descriptor (SECURITY_DESCRIPTOR data structure) references: - The owner of the file (as a pointer to a SID structure). - The access rights to the file in the Discretionary Access Control List (DACL) attribute. - The audit rights that control how access is audited (which access will generate events) in the System Access Control List (SACL) attribute.

$Secure

Secure2Csv

NTFS index attributes ($I30)

Filesystem

The NTFS index attributes are MFT attributes, of two distincts types, that index all the files / directories in a given directory (in a B-Tree data structure). Each directory contains one or more index attributes. The files and folders information displayed by the Windows Explorer are based on the index attribute(s) of the directory being accessed. The entries (files or subdirectories) in a directory's index attribute(s) are stored as index records structures, with one dedicated record for every entry. The index record structure contains a $FILE_NAME (0x30) attribute, in which are stored the information about the file or folder. There is two types of index attributes: - $INDEX_ROOT: for directories with a small number of entries. The $INDEX_ROOT attribute is always resident to the MFT and contains a small list of index records. A directory has at most one $INDEX_ROOT attribute. - $INDEX_ALLOCATION: additional structure for larger directories, with no limitation on the number of entries. The $INDEX_ALLOCATION attribute is non-resident and contains one or more index records. The INDEX_ALLOCATION structure starts with the INDX signature. The $INDEX_ALLOCATION attribute should not exist without an associated $INDEX_ROOT attribute. The $Bitmap attribute keep track of the index allocations. The $INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap attributes are collectively refered to as $I30.

Each index record contains information on the file it references in a $FILE_NAME (0x30) attribute: - Filename and parent directory. - File size. - A set of MACB timestamps. The $FILE_NAME attribute of a index record in a directory index attribute should be kept in sync with the MFT file record's $STANDARD_INFORMATION attribute of the corresponding entry. However, disparities may sometime occur, with the index record referencing older information. Due to their B-Tree data structure format and their frequent rebalancing, $INDEX_ALLOCATION attributes often contain a significant amount of slack space. Index records for deleted files no longer present in the MFT may be carvable from this slack space.

MFT's $INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap attributes.

MFTECmd.exe INDXRipper

$LogFile

Filesystem

The $LogFile is part of a journaling feature of NTFS, activated by default, which maintains a low-level record of changes made to the NTFS volume. Every disk operation is journalized prior to being committed. In case of failure, such as a crash during an update, the $LogFile can be used to revert disk operations.

As low-level operations are journalized, the $LogFile contains very limited historical data, usually only of the last few hours at most.

$LogFile

UsnJrnl

Filesystem

The UsnJrnl is part of a journaling feature of NTFS, activated by default on Vista and later, which maintains a record of changes made to the NTFS volume. The creation, deletion or modification of files or directories are, among other operations, journalized.

The records in the UsnJrnl are progressively overwritten once the max size of the journal has been reached. The UsnJrnl usually contains historical data on the last few days (1-3 days for system full time use, < 7 days for regular system use). The UsnJrnl is composed of two named data streams: - The $Max stream stores the meta data of the change. - The $J stream stores the actual change log records. Each change log record is notably composed of: - an Update Sequence Number (USN). - The timestamp of the change. - The reason / operation of the record (USN_REASON_FILE_CREATE, USN_REASON_FILE_DELETE, USN_REASON_DATA_OVERWRITE, USN_REASON_RENAME_NEW_NAME, etc.). - MFT reference and reference sequence number.

$Max and $J named data streams under \$Extend\$UsnJrnl

MFTECmd.exe

Windows Search database

Filesystem

The Windows Search database provides an index to the Windows Search feature to improve search speed by indexing content. The Windows Search index is used for searches made through Windows taskbar, the Windows Explorer, and some Universal Windows Platform (UWP) applications (such as Outlook, OneDrive, etc.). By default, only a subset of folders and files are indexed (to reduce the Windows Search database size and CPU usage). The folders scanned and number of items indexed can be consulted in the "Windows search settings" menu.

By default, only items from the following sources are scanned and indexed: - Files and folders from the Users folders. > Data available: file name, path, size, attributes, MAC timestamps. For small file, part of the content of the file may be indexed as well. - Outlook mail data (with timestamp of reception, possible mail content). - OneNote notes title. - Internet explorer history (URLs, timestamp of last visit).

Windows XP: %SystemDrive%:\Documents and Settings\All user\Application Data\Microsoft\Search\Data\Application\Windows\Windows.edb Starting from Windows 7: %SystemDrive%:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

Recycle Bin

Filesystem (Deleted files)

Deleted files and folders (if deleted through a recycle bin aware application).

The deleted files are placed in a subfolder (under %SystemDrive%:\$Recycle.Bin) named after the SID of the user that performed the deletion. Deleted files can thus be associated with a given user. Two kind of files are present in the Recycle Bin: - $I (for "Information") files, which contain the path and timestamp of deletion of the original file. - $R (for "Resource") files, which contain the original file content.

%SystemDrive%:\$Recycle.Bin\<USER_SID>\*

Program execution

Name Type Description Information / interpretation Location Tool(s)

Name	Type	Description	Information / interpretation	Location	Tool(s)
`EVTX` - `Security.evtx` - Process creation	Programs execution	For more information: Program execution note.	Event `4688`: `A new process has been created` Event `4689`: `Process Termination: Success and Failure` Requires `Audit Process Creation` to be enabled. If the `ProcessCreationIncludeCmdLine_Enabled` audit policy is enabled, the command line specified at the process creation will be logged.	`Security.evtx`
`HKLM\SYSTEM` - `Application Compatibility Cache` (`Shimcache`)	Programs execution (before Windows 10 / Windows Server 2016) Executable presence	Application compatibility feature that aim to maintain support of existing software to new versions of the Windows operating system. A `Shimcache` entry is created whenever a program is executed from a specific path. However, starting from the Windows Vista and Windows Server 2008 operating systems, entries may also be created for files in a directory that is accessed interactively. `Shimcache` entries are only written to the registry upon shutdown of the system. The `Shimcache` entries generated since the last system boot are thus only stored in memory. Limited to 96 entries on Windows XP / Windows Server 2003, and 1024 entries starting from Windows Vista. For more information: Shimcache note.	Each `Shimcache` entries contain the following notable information: - The associated file full path. - On Windows 2003 / XP 64-bit and older, the file size. - The `LastModifiedTime` (`$Standard_Information`) timestamp of the file, which does not necessarily reflect the execution time. Indeed, `Shimcache` entries are not directly associated with an insert / executed timestamp. - The cache entry position, as a numerical value starting from 0, which represents the insertion position in the `Shimcache`. The lower the value, the more recently the program was shimmed. - From Windows Vista / Windows Server 2008 to Windows 8.1 / Windows Server 2012 R2, the (undocumented) `Insert Flag` flag which, when set, seems to indicate that the entry was executed. This flag is no longer present starting from Windows 10 / Windows Server 2016, and thus a `Shimcache` entry does not necessarily reflect an execution** (as entries may also be created for files in a directory that is accessed interactively). - On `Windows XP 32-bit`, the file `Last Update Time` timestamp.	File: `%SystemRoot%\System32\config\SYSTEM` Registry key: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache`	`AppCompatCacheParser.exe` For entries present in memory: `Volatility2`'s `shimcache` plugin.
`Amcache` `RecentFileCache` For `DLL` 6.1.7600, replaced by `Amcache.hve` on up-to-date systems. Starting from Windows 7 & Windows Server 2008 R2	Programs execution (for non up-to date system) Executable presence	Very complex artefact, linked to an application compatibility feature that aim to maintain support of existing software to new versions of the Windows operating system (like the `Shimcache` artefact). The `Amcache` is a standalone registry hive, with multiple root keys that contain various types of data. The `Amcache` behavior depends on the version of the associated libraries, and not the version of the operating system. The `Amcache` on an up-to-date Windows 7 and Windows 10 will thus behave the same way. A `Amcache` entry is created whenever a program is executed from a specific path. However, entries may also be created for files in "scanned" directory. For more information: Amcache note.	The `Amcache.hve` registry hive is split in a number of root keys, with keys being added, changed, or removed depending on the `Amcache` `DLLs` versions. The following notable root keys can be of forensic interest: - `File` then `InventoryApplicationFile` starting from the version `10.0.14913.1002` of the `Amcache` libraries (`AmcacheParser` outputs `AssociatedFileEntries` and `UnassociatedFileEntries`): > Data about program executions if they are shimmed, programs part of an installed application, and programs part of scanned directories (with out requiring execution of the associated programs). > `AmcacheParser`'s `AssociatedFileEntries` output references programs associated with an application and `UnassociatedFileEntries` output references "loose" programs (that are not associated with an installed application). > Data available (depending on the `Amcache` libraries version): executable full path, program size, `SHA1` of the first 30MB of the executable in the `FileId` value, binary type (x86 versus x64), the compilation date of the program in the `LinkDate` value. > Additional data for entries associated with an installed application is available in the `InventoryApplication` key. The `ProgramId` value from the `InventoryApplicationFile` subkey of a given program matches the subkey's name under the `InventoryApplication` key of the associated application. The `InventoryApplication` key provide metadata information about the application: name, publisher, install date, etc. > For non up-to-date systems still using a `File` key, the last write time of an entry key under the `File` key coincides with the execution time of an executable or the application installation time. For entries under the newer `InventoryApplicationFile` key, the last write time of the keys always coincides with an execution of `Microsoft Compatibility Appraiser` and is thus no longer a timestamp of execution time. - `InventoryDeviceContainer` and `InventoryDevicePnp` (`AmcacheParser` outputs `DeviceContainers` and `DevicePnp`): > Data about devices plugged in on the system. > Data available: device type (usb; Bluetooth, media, ...), device friendly name, self reported description, manufacturer, associated driver, ... - `InventoryDriverBinary` (`AmcacheParser` output `DriveBinaries`): > Data about installed drivers. > Data available: driver name, full path, size, associated service name, compilation timestamp (`DriverTimestamp`), driver file last write timestamp, ... - `InventoryDriverPackage` (`AmcacheParser` output `DriverPackages`): > Data about drivers package file (INF file) that contains information about the driver. > Data available: driver package file name, path, last write timestamp, ... - `Programs` then `InventoryApplication` (`AmcacheParser` output `ProgramEntries`): > Data about installed programs, as referenced in the `Uninstall` and / or a `Run` key of the `SOFTWARE` hive. > Data available: application name, executable full path and SHA1, publisher, install date, ... `InventoryApplicationShortcut` (`AmcacheParser` output `ShortCuts`): > Data about the shortcuts (`LNK` files) that were present at one time (and that may still be present or may have been removed) from a subset of scanned folders (Start Menu and / or Desktop folders). > Data available: full path of the shortcut. The last write timestamp of the associated subkey can also be a general indicator of when the activity occurred but does not seem to match any `MACB` timestamps of the shortcut file.	`DLL` 6.1.7600: `%SystemRoot%\AppCompat\Programs\RecentFileCache.bcf` `%SystemRoot%\AppCompat\Programs\Amcache.hve`	`AmcacheParser.exe`
`PCA` Introduced in Windows 11 22H2.	Programs execution (GUI programs only)	The `Program Compatibility Assistant (PCA)` is another application compatibility feature that aim to maintain support of existing desktop applications to new versions of the Windows operating system (like the `Shimcache` and `Amcache` artefacts). `PCA` is linked to the `pcasvc` service. Executions of programs with a graphical interface, installed or from a portable executable. Command line programs executed as GUI programs (such as by double clicking on the CLI executable from `Windows Explorer`) will also generate an entry.	The information stored by the `PCA` is split in 3 text based files: - `PcaAppLaunchDic.txt`: > Most valuable file from a forensic standpoint and reliable source of program execution. > One entry per line, containing the full path of the executable and the timestamp of execution in `UTC` (in a pipe separated string). > Example: `%SystemRoot%\FOLDER\executable.exe\|2023-05-25 01:20:30.123`. - `PcaGeneralDb0.txt` and `PcaGeneralDb1.txt`: > Less entries than in the `PcaAppLaunchDic.txt` file, with most entries seemingly related to non `0x0` execution exit code. > One entry per line, containg the following information in a pipe delimited string: * Execution timestamp. * Execution status. * Full path of the executable. * Description of the executable and its vendor name. * File version. * `ProgramId` referenced in the `Amcache` registry hive (`InventoryApplicationFile` key). * Exit code of the execution.	Files under `%SystemRoot%\appcompat\pca`: `PcaAppLaunchDic.txt` `PcaGeneralDb0.txt` `PcaGeneralDb1.txt`
`Prefetch` Not present by default on Windows Server Operating Systems.	Programs execution	`Prefetch` is a performance enhancement feature that enables prefetching of applications to make system boots or applications startups faster. Limited to 128 entries (`Prefetch` files) on Windows XP to Windows 7, and 1024 entries starting from Windows 8. For more information: Prefetch note.	The `Prefecth` filenames are based on the executed program name and a hash, computed using a proprietary algorithm and based on the full path (and for some binaries, such as `dllhost.exe` or `svchost.exe`, command line parameters) of the executed program. Each `Prefecth` file can yield the following information: - The file name and size of the binary executed. - The first and, starting from Windows 8, the last eight executions timestamps - The `Prefecth` file `NTFS` created and last modified timestamps also indicate the first and last time the program was executed. - The run count (number of time the binary was executed). - The list of files and directories accessed during the first ten seconds of execution (including the eventual `DLL` loaded or PowerShell scripts for PowerShell execution). Whether the `Prefect` feature is enabled is configured by the `EnablePrefetcher` registry key: - `0x0` / undefined: disabled (default on Windows Server Operating Systems). - `0x1`: Partially enabled (application prefetching only). - `0x2`: Partially enabled (boot prefetching only). - `0x3`: Enabled (application and boot prefetching).	`Prefetch` files (`.PF`) in: `%SystemRoot%\Prefetch\*` `EnablePrefetcher`: `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters`	`PECmd.exe`
`System Resource Usage Monitor (SRUM)` Introduced in Windows 8.	Programs execution	`SRUM` is a feature that records numerous metrics of system activities, with a limited subset of the available information displayed within the Windows `Task Manager` ("App history" tab). The `SRUM` database is a `ESE` database that notably yields information related to programs execution and executed programs' network usage. The `SRUM` database only stores data for the last 30 to 60 days. Entries are not associated with their timestamp of occurrence but with the timestamp of insertion in the `SRUM` database. As entries are only written to the `SRUM` database every hour, timestamps are thus precise to the hour (with multiple entries usually sharing the same insertion timestamp). For more information: SRUM note.	Related to program execution, the `Application Resource Usage` (GUID `{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}`) and `App Timeline Provider` (GUID `{5C8CF1C7-7257-4F13-B223-970EF5939312}`) tables track programs execution. For each entry in the `Application Resource Usage` table (`SrumECmd`'s `AppResourceUseInfo` output), the following information may be recorded: - Timestamp of the `SRUM` entry creation. - Full path of the executable or application information / description for built-in components. - User `SID` of the user executing the process. - Metrics on CPU usage (CPU time in foreground and background). - Metrics on I/O operations (foreground / background number of read / write operations and bytes read / written). For each entry in the `Application Resource Usage` table (`SrumECmd`'s `AppTimelineProvider` output), the following information may be recorded: - Timestamp of the `SRUM` entry creation. - Name of the executable and description for built-in components. - Timestamp of compilation of the executable. - User `SID` of the user executing the process. - Timestamp of seemingly approximate end of execution. - Total duration of execution (in milliseconds).	`%SystemRoot%\System32\SRU\SRUDB.dat`	`SrumECmd`
Windows 10 Timeline / `ActivitiesCache.db` Introduced in Windows 10's version 1803.	Programs execution	The Windows Activity history tracks a number of operations on the system: programs used, local files opened, SharePoint documents consulted, and websites browsed (using Internet Explorer / Microsoft Edge Legacy). The Activity history can be consulted in the Windows Timeline (Windows + Tab keys). The `ActivitiesCache.db` is a `SQLite` database that locally stores the activity for its associated user. The `ActivitiesCache.db` only stores data for the last 30 days by default.	The `ActivitiesCache.db` is composed of a number of tables, with the following tables being of interest: - `Activity` / `ActivityOperation` tables: data about various activities for different operation / activity type: program execution and opening of a file (5, `ExecuteOpen`), copy-pasting from a program (`CopyPaste`), application "in focus" (`InFocus`), ... > Data available, varying depending on the activity type: the activity ID (GUID), executable full path for program execution, display text and content info that may contain file name / SharePoint link, start (`startedDateTime`) and end (`lastActiveDateTime`) of the activity (in `UTC`), created and last modified timestamp of the associated file (local or on SharePoint), the user's device timezone, ... > An activity data can be present in either or both tables depending on the activity lifecycle. For example, a new activity will only be present in the `Activity` table, while an activity in the "upload queue" will be placed in the `ActivityOperation` table. - `Activity_PackageId`: data about the application(s) / program(s) linked to a specific activity (identified by its activity ID). > Data available: the activity ID (GUID), the application name / program filename, eventual program full path, activity expiration timestamp (timestamp of occurrence + 30 days by default). > Upon occurrence of an activity, one or multiple entries sharing the same activity ID will be created in the `Activity_PackageId` table, one for each program / application related to the activity.	`%SystemRoot%\Users\<USERNAME>\AppData\Local\ConnectedDevicesPlatform\[L.<USERNAME> \| *]\ActivitiesCache.db`
`NTUSER` - `UserAssist`	Programs execution (GUI programs only)	The purpose of the `UserAssist` registry key is not officially documented. The registry key references executions of programs with a graphical interface, installed or from a portable executable.	One or two main registry subkeys can be found depending on the Windows OS version: - On Windows Xp, `{75048700-EF1F-11D0-9888-006097DEACF9}` linked to execution of executable files - Starting from Windows 7, `{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}` linked to execution of executable files and `{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}` linked to execution of shortcut files. Keys are `ROT13` encoded, and contains the following notable information: - Full path of the executed program / shortcut. - Sometimes, the timestamp of the last execution. - An unreliable run counter and focus time.	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count`
`UsrClass` - `MUICache`	Programs execution (GUI programs only)	`Multilanguage User Interface (MUI)` is a feature to allow applications to have a single executable for multiple languages. `MUI` files can be created, one per supported language, to switch the application display language. The registry key references executions of programs with a graphical interface, installed or from a portable executable.	Each execution is associated with two values under the `MUICache` registry key, both starting with the executable full path. The values data reference information retrieved from the executable's `Version` information from its resources section (`.rsrc`): - `<PE_FULL_PATH>.FriendlyAppName`: references the executable `FileDescription`. This can be used to identify renamed executable, as the original filename is likely going to be referenced by the `FileDescription` attribute. - `<PE_FULL_PATH>.ApplicationCompany`: references the executable `CompanyName`. The `MUICache` does not provide a timestamp of execution, and the last write timestamp of the key cannot be used to infer the timestamp of execution (as the entries are stored directly as registry values).	File: `%SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat` Registry keys: `HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MUICache` `HKCU\Local Settings\MuiCache`
`HKLM\SYSTEM` - `Background Activity Moderator (BAM)` / `Desktop Activity Moderator (DAM)` Introduced in Windows 10's Fall Creators update - version 1709.	Programs execution	`BAM` is a mostly undocumented feature that controls the programs executed in the background. `DAM` is a feature for devices supporting the "Connected Standby" mode (i.e when a device is turned on, but its display will be turned off). As a result, the `BAM` registry keys will contain data on any devices, while `DAM` registry keys will only contain data on mobile devices.	The `BAM` registry key contains multiple subkeys under `bam\State\UserSettings`, with one subkey per user, identified with the user `SID`. While the key is in the `SYSTEM` registry hive, program executions can thus still be tied to a specific user using this `SID`. Each user-specific key contains a list of executed programs, with their full path and timestamp of last execution. If a file is deleted, the eventual associated entry in the `BAM` is deleted as well after the system reboot. Additionally, `BAM` entries older than 7 days are deleted upon system boot. The `BAM` thus provides limited information on historic execution of programs. No entries are created in the `BAM` keys for executables on removable media and/or on network shares.	File: `%SystemRoot%\System32\config\SYSTEM` Registry key: `HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>\` After from Win10 1809: `HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\<SID>\` `HKLM\SYSTEM\CurrentControlSet\Services\dam\UserSettings\<SID>\` After from Win10 1809: `HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\<SID>\`
`NTUSER` - `FeatureUsage` Introduced in Windows 10's version 1903.	Programs execution	Feature linked to the Windows Task, storing a number of metrics related to the Task bar usage.	Each operation (detailed below) is associated with an entry composed of the program full path and operation run count. No timestamp of execution is available. Subregistry keys: - `AppSwitched`: number of times an application was brought to focus (application left-clicked on the taskbar). - `ShowJumpView`: number of times the jump menu of an application was opened (application right-clicked on the taskbar). - `AppBadgeUpdated`: number of times an application on the taskbar has have its icon updated (for example for notifications). - `AppLaunch`: number of times an application pinned on the taskbar has been executed. - `TrayButtonClicked`: numer of times a default taskbar button (such as the Windows start button) was clicked.	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry keys under `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage`.
`EVTX` - PowerShell activity events	Programs execution and PowerShell activity	For more information: PowerShell activity note.	`Microsoft-Windows-PowerShell%4Operational`: - Event `4103`, related to PowerShell modules. Requires PowerShell `Module Logging` to be enabled. - Event `4104`, related to PowerShell script block. Requires PowerShell `Script Block Logging` to be enabled. By default, events will however be logged for potentially-malicious commands execution.	`Microsoft-Windows-PowerShell%4Operational`
PowerShell console activity `ConsoleHost_history.txt` Introduced in Windows 10 / PowerShell 5.	Programs execution and PowerShell activity	Starting with `PowerShell v5` on `Windows 10`, the commands entered in a PowerShell console will be logged by the `PSReadline` module to an user-scoped `ConsoleHost_history.txt` file. Console-less PowerShell sessions, such as the content of PowerShell script or commands execution through the `PowerShell ISE`, will not be logged in this file. Bypassing `PSReadline` logging is also easy, as it simply requires to unload the `PSReadline` module (for instance with the `Remove-Module PSReadline` in an existing PowerShell session).	The `ConsoleHost_history.txt` file contains the commands entered, with one command per line and no associated timestamps (or any additional metadata). By default, the last 4096 commands are conserved.	`%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt`
.NET CLR `UsageLogs`	Programs execution	Following the execution (or in-memory injection) of a .NET assembly, the `Common Language Runtime (CLR)` creates a `Usage Log` file whose named is based on the name of the executed assembly. The file is written just prior the assembly execution terminate, and will thus not be written if the process does not gracefully exit.	The filename of the log file match the name of the assembly / binary executed. The file creation timestamp corresponds to the first time the associated assembly was executed and the file last modification timestamp corresponds to the last execution time of the assembly.	`%SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\CLR_v<VERSION>\UsageLogs\<BINARY_NAME>.exe.log`
`NTUSER` - `RecentApps` Introduced in Windows 10 1607 and removed in Windows 10 1709 (with the key not present on subsequent version).	Programs execution	Undocumented feature, added and (relatively) shortly after removed from the Windows operating system.	Each subkey, identified with a GUID, under the `RecentApps` key correspond to an executed program. In these application GUID subkeys, the filename, last access timestamp, and run count of the application are stored. Additionally, each application GUID subkey can have up to 10 subkeys, also identified with a GUID, that correspond to files accessed using the application. In these file GUID subkeys, the file name, file full path, and (on some OS version) an non-updated timestamp of last access. The last write timestamp of an application subkey can indicate when the program was last executed. While the last write timestamp of a file subkey can indicate when the file was accessed (with the associated program).	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\<GUID>`
`Jumplist`	Programs execution	Detailed in `Files and folders access`	-	-
`NTUSER` - `Explorer` - Common Dialogs - `CIDSizeMRU`	Programs execution	Recently executed programs, linked to `Common Dialogs` activities (pop boxes to open / save file, print, find / replace, ...).	The key contains an ordered `Most Recently Used (MRU)` list of executed programs, identified through their filename. The last write timestamp of the key thus corresponds to the timestamp of execution of the most recently executed program (first in the MRU list).	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU`
`NTUSER` - `Explorer` - Common Dialogs - `LastVisitedMRU` / `LastVisitedPidlMRU` `LastVisitedPidlMRULegacy` Renamed in Windows Vista and later.	Programs execution	Records the programs used to open / save (some of) the file tracked in the `OpenSaveMRU` / `OpenSavePidlMRU` registry key. Notably used to track the last folder used by a given program in an "Open File" / "Save File" `Common Dialogs` window.	Applications tracked are stored in an ordered `Most Recently Used (MRU)` list. The last write timestamp of the key thus corresponds to the timestamp of execution of the most recently executed program (first in the MRU list). For each application, the full path of the folder can be constructed from information blocks on each subfolder in the location. For exemple, for the "%SystemRoot%\Users\Public\Documents" location, three blocks will be present: "Users", "Public", and "Documents". For each block, the created and last accessed timestamps and the MFT entry / sequence associated with the folder are referenced.	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU` `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU` `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy`
`NTUSER` - `RunMRU`	Programs execution	Tacks items (program, files / folders, `URL`, ...) launched from the `Windows Run` launcher (Windows + R shortcut). Entries are added / updated in near real-time.	Each entry successfully launched trough the `Windows Run` launcher is stored in a dedicated value under the `Explorer\RunMRU` key. The values are ordered in a `Most recently used (MRU)` list, specified in the `MRUList` value. Example: `MRUList` equals to `ba` means that the entry tagged as `b` was launched last / the most recently, preceded by the entry tagged as `a`. The last write timestamp of the key thus indicates the timestamp of the most recently entered item.	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU`

EVTX - Security.evtx - Process creation

Programs execution

For more information: Program execution note.

Event 4688: A new process has been created Event 4689: Process Termination: Success and Failure Requires Audit Process Creation to be enabled. If the ProcessCreationIncludeCmdLine_Enabled audit policy is enabled, the command line specified at the process creation will be logged.

Security.evtx

HKLM\SYSTEM - Application Compatibility Cache (Shimcache)

Programs execution (before Windows 10 / Windows Server 2016) Executable presence

Application compatibility feature that aim to maintain support of existing software to new versions of the Windows operating system. A Shimcache entry is created whenever a program is executed from a specific path. However, starting from the Windows Vista and Windows Server 2008 operating systems, entries may also be created for files in a directory that is accessed interactively. Shimcache entries are only written to the registry upon shutdown of the system. The Shimcache entries generated since the last system boot are thus only stored in memory. Limited to 96 entries on Windows XP / Windows Server 2003, and 1024 entries starting from Windows Vista. For more information: Shimcache note.

Each Shimcache entries contain the following notable information: - The associated file full path. - On Windows 2003 / XP 64-bit and older, the file size. - The LastModifiedTime ($Standard_Information) timestamp of the file, which does not necessarily reflect the execution time. Indeed, Shimcache entries are not directly associated with an insert / executed timestamp. - The cache entry position, as a numerical value starting from 0, which represents the insertion position in the Shimcache. **The lower the value, the more recently the program was shimmed. - From Windows Vista / Windows Server 2008 to Windows 8.1 / Windows Server 2012 R2, the (undocumented) Insert Flag flag which, when set, seems to indicate that the entry was executed. This flag is no longer present starting from Windows 10 / Windows Server 2016, and thus a Shimcache entry does not necessarily reflect an execution (as entries may also be created for files in a directory that is accessed interactively). - On Windows XP 32-bit, the file Last Update Time timestamp.

File: %SystemRoot%\System32\config\SYSTEM Registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

AppCompatCacheParser.exe For entries present in memory: Volatility2's shimcache plugin.

Amcache RecentFileCache For DLL 6.1.7600, replaced by Amcache.hve on up-to-date systems. Starting from Windows 7 & Windows Server 2008 R2

Programs execution (for non up-to date system) Executable presence

Very complex artefact, linked to an application compatibility feature that aim to maintain support of existing software to new versions of the Windows operating system (like the Shimcache artefact). The Amcache is a standalone registry hive, with multiple root keys that contain various types of data. The Amcache behavior depends on the version of the associated libraries, and not the version of the operating system. The Amcache on an up-to-date Windows 7 and Windows 10 will thus behave the same way. A Amcache entry is created whenever a program is executed from a specific path. However, entries may also be created for files in "scanned" directory. For more information: Amcache note.

The Amcache.hve registry hive is split in a number of root keys, with keys being added, changed, or removed depending on the Amcache DLLs versions. The following notable root keys can be of forensic interest: - File then InventoryApplicationFile starting from the version 10.0.14913.1002 of the Amcache libraries (AmcacheParser outputs AssociatedFileEntries and UnassociatedFileEntries): > Data about program executions if they are shimmed, programs part of an installed application, and programs part of scanned directories (with out requiring execution of the associated programs). > AmcacheParser's AssociatedFileEntries output references programs associated with an application and UnassociatedFileEntries output references "loose" programs (that are not associated with an installed application). > Data available (depending on the Amcache libraries version): executable full path, program size, SHA1 of the first 30MB of the executable in the FileId value, binary type (x86 versus x64), the compilation date of the program in the LinkDate value. > Additional data for entries associated with an installed application is available in the InventoryApplication key. The ProgramId value from the InventoryApplicationFile subkey of a given program matches the subkey's name under the InventoryApplication key of the associated application. The InventoryApplication key provide metadata information about the application: name, publisher, install date, etc. > For non up-to-date systems still using a File key, the last write time of an entry key under the File key coincides with the execution time of an executable or the application installation time. For entries under the newer InventoryApplicationFile key, the last write time of the keys always coincides with an execution of Microsoft Compatibility Appraiser and is thus no longer a timestamp of execution time. - InventoryDeviceContainer and InventoryDevicePnp (AmcacheParser outputs DeviceContainers and DevicePnp): > Data about devices plugged in on the system. > Data available: device type (usb; Bluetooth, media, ...), device friendly name, self reported description, manufacturer, associated driver, ... - InventoryDriverBinary (AmcacheParser output DriveBinaries): > Data about installed drivers. > Data available: driver name, full path, size, associated service name, compilation timestamp (DriverTimestamp), driver file last write timestamp, ... - InventoryDriverPackage (AmcacheParser output DriverPackages): > Data about drivers package file (INF file) that contains information about the driver. > Data available: driver package file name, path, last write timestamp, ... - Programs then InventoryApplication (AmcacheParser output ProgramEntries): > Data about installed programs, as referenced in the Uninstall and / or a Run key of the SOFTWARE hive. > Data available: application name, executable full path and SHA1, publisher, install date, ... InventoryApplicationShortcut (AmcacheParser output ShortCuts): > Data about the shortcuts (LNK files) that were present at one time (and that may still be present or may have been removed) from a subset of scanned folders (Start Menu and / or Desktop folders). > Data available: full path of the shortcut. The last write timestamp of the associated subkey can also be a general indicator of when the activity occurred but does not seem to match any MACB timestamps of the shortcut file.

DLL 6.1.7600: %SystemRoot%\AppCompat\Programs\RecentFileCache.bcf %SystemRoot%\AppCompat\Programs\Amcache.hve

AmcacheParser.exe

PCA Introduced in Windows 11 22H2.

Programs execution (GUI programs only)

The Program Compatibility Assistant (PCA) is another application compatibility feature that aim to maintain support of existing desktop applications to new versions of the Windows operating system (like the Shimcache and Amcache artefacts). PCA is linked to the pcasvc service. Executions of programs with a graphical interface, installed or from a portable executable. Command line programs executed as GUI programs (such as by double clicking on the CLI executable from Windows Explorer) will also generate an entry.

The information stored by the PCA is split in 3 text based files: - PcaAppLaunchDic.txt: > Most valuable file from a forensic standpoint and reliable source of program execution. > One entry per line, containing the full path of the executable and the timestamp of execution in UTC (in a pipe separated string). > Example: %SystemRoot%\FOLDER\executable.exe|2023-05-25 01:20:30.123. - PcaGeneralDb0.txt and PcaGeneralDb1.txt: > Less entries than in the PcaAppLaunchDic.txt file, with most entries seemingly related to non 0x0 execution exit code. > One entry per line, containg the following information in a pipe delimited string: * Execution timestamp. * Execution status. * Full path of the executable. * Description of the executable and its vendor name. * File version. * ProgramId referenced in the Amcache registry hive (InventoryApplicationFile key). * Exit code of the execution.

Files under %SystemRoot%\appcompat\pca: PcaAppLaunchDic.txt PcaGeneralDb0.txt PcaGeneralDb1.txt

Prefetch Not present by default on Windows Server Operating Systems.

Programs execution

Prefetch is a performance enhancement feature that enables prefetching of applications to make system boots or applications startups faster. Limited to 128 entries (Prefetch files) on Windows XP to Windows 7, and 1024 entries starting from Windows 8. For more information: Prefetch note.

The Prefecth filenames are based on the executed program name and a hash, computed using a proprietary algorithm and based on the full path (and for some binaries, such as dllhost.exe or svchost.exe, command line parameters) of the executed program. Each Prefecth file can yield the following information: - The file name and size of the binary executed. - The first and, starting from Windows 8, the last eight executions timestamps - The Prefecth file NTFS created and last modified timestamps also indicate the first and last time the program was executed. - The run count (number of time the binary was executed). - The list of files and directories accessed during the first ten seconds of execution (including the eventual DLL loaded or PowerShell scripts for PowerShell execution). Whether the Prefect feature is enabled is configured by the EnablePrefetcher registry key: - 0x0 / undefined: disabled (default on Windows Server Operating Systems). - 0x1: Partially enabled (application prefetching only). - 0x2: Partially enabled (boot prefetching only). - 0x3: Enabled (application and boot prefetching).

Prefetch files (.PF) in: %SystemRoot%\Prefetch\* EnablePrefetcher: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

PECmd.exe

System Resource Usage Monitor (SRUM) Introduced in Windows 8.

Programs execution

SRUM is a feature that records numerous metrics of system activities, with a limited subset of the available information displayed within the Windows Task Manager ("App history" tab). The SRUM database is a ESE database that notably yields information related to programs execution and executed programs' network usage. The SRUM database only stores data for the last 30 to 60 days. Entries are not associated with their timestamp of occurrence but with the timestamp of insertion in the SRUM database. As entries are only written to the SRUM database every hour, timestamps are thus precise to the hour (with multiple entries usually sharing the same insertion timestamp). For more information: SRUM note.

Related to program execution, the Application Resource Usage (GUID {D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}) and App Timeline Provider (GUID {5C8CF1C7-7257-4F13-B223-970EF5939312}) tables track programs execution. For each entry in the Application Resource Usage table (SrumECmd's AppResourceUseInfo output), the following information may be recorded: - Timestamp of the SRUM entry creation. - Full path of the executable or application information / description for built-in components. - User SID of the user executing the process. - Metrics on CPU usage (CPU time in foreground and background). - Metrics on I/O operations (foreground / background number of read / write operations and bytes read / written). For each entry in the Application Resource Usage table (SrumECmd's AppTimelineProvider output), the following information may be recorded: - Timestamp of the SRUM entry creation. - Name of the executable and description for built-in components. - Timestamp of compilation of the executable. - User SID of the user executing the process. - Timestamp of seemingly approximate end of execution. - Total duration of execution (in milliseconds).

%SystemRoot%\System32\SRU\SRUDB.dat

SrumECmd

Windows 10 Timeline / ActivitiesCache.db Introduced in Windows 10's version 1803.

Programs execution

The Windows Activity history tracks a number of operations on the system: programs used, local files opened, SharePoint documents consulted, and websites browsed (using Internet Explorer / Microsoft Edge Legacy). The Activity history can be consulted in the Windows Timeline (Windows + Tab keys). The ActivitiesCache.db is a SQLite database that locally stores the activity for its associated user. The ActivitiesCache.db only stores data for the last 30 days by default.

The ActivitiesCache.db is composed of a number of tables, with the following tables being of interest: - Activity / ActivityOperation tables: data about various activities for different operation / activity type: program execution and opening of a file (5, ExecuteOpen), copy-pasting from a program (CopyPaste), application "in focus" (InFocus), ... > Data available, varying depending on the activity type: the activity ID (GUID), executable full path for program execution, display text and content info that may contain file name / SharePoint link, start (startedDateTime) and end (lastActiveDateTime) of the activity (in UTC), created and last modified timestamp of the associated file (local or on SharePoint), the user's device timezone, ... > An activity data can be present in either or both tables depending on the activity lifecycle. For example, a new activity will only be present in the Activity table, while an activity in the "upload queue" will be placed in the ActivityOperation table. - Activity_PackageId: data about the application(s) / program(s) linked to a specific activity (identified by its activity ID). > Data available: the activity ID (GUID), the application name / program filename, eventual program full path, activity expiration timestamp (timestamp of occurrence + 30 days by default). > Upon occurrence of an activity, one or multiple entries sharing the same activity ID will be created in the Activity_PackageId table, one for each program / application related to the activity.

%SystemRoot%\Users\<USERNAME>\AppData\Local\ConnectedDevicesPlatform\[L.<USERNAME> | *]\ActivitiesCache.db

NTUSER - UserAssist

Programs execution (GUI programs only)

The purpose of the UserAssist registry key is not officially documented. The registry key references executions of programs with a graphical interface, installed or from a portable executable.

One or two main registry subkeys can be found depending on the Windows OS version: - On Windows Xp, {75048700-EF1F-11D0-9888-006097DEACF9} linked to execution of executable files - Starting from Windows 7, {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} linked to execution of executable files and {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} linked to execution of shortcut files. Keys are ROT13 encoded, and contains the following notable information: - Full path of the executed program / shortcut. - Sometimes, the timestamp of the last execution. - An unreliable run counter and focus time.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count

UsrClass - MUICache

Programs execution (GUI programs only)

Multilanguage User Interface (MUI) is a feature to allow applications to have a single executable for multiple languages. MUI files can be created, one per supported language, to switch the application display language. The registry key references executions of programs with a graphical interface, installed or from a portable executable.

Each execution is associated with two values under the MUICache registry key, both starting with the executable full path. The values data reference information retrieved from the executable's Version information from its resources section (.rsrc): - <PE_FULL_PATH>.FriendlyAppName: references the executable FileDescription. This can be used to identify renamed executable, as the original filename is likely going to be referenced by the FileDescription attribute. - <PE_FULL_PATH>.ApplicationCompany: references the executable CompanyName. The MUICache does not provide a timestamp of execution, and the last write timestamp of the key cannot be used to infer the timestamp of execution (as the entries are stored directly as registry values).

File: %SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat Registry keys: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MUICache HKCU\Local Settings\MuiCache

HKLM\SYSTEM - Background Activity Moderator (BAM) / Desktop Activity Moderator (DAM) Introduced in Windows 10's Fall Creators update - version 1709.

Programs execution

BAM is a mostly undocumented feature that controls the programs executed in the background. DAM is a feature for devices supporting the "Connected Standby" mode (i.e when a device is turned on, but its display will be turned off). As a result, the BAM registry keys will contain data on any devices, while DAM registry keys will only contain data on mobile devices.

The BAM registry key contains multiple subkeys under bam\State\UserSettings, with one subkey per user, identified with the user SID. While the key is in the SYSTEM registry hive, program executions can thus still be tied to a specific user using this SID. Each user-specific key contains a list of executed programs, with their full path and timestamp of last execution. If a file is deleted, the eventual associated entry in the BAM is deleted as well after the system reboot. Additionally, BAM entries older than 7 days are deleted upon system boot. The BAM thus provides limited information on historic execution of programs. No entries are created in the BAM keys for executables on removable media and/or on network shares.

File: %SystemRoot%\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>\* After from Win10 1809: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\<SID>\* HKLM\SYSTEM\CurrentControlSet\Services\dam\UserSettings\<SID>\* After from Win10 1809: HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\<SID>\*

NTUSER - FeatureUsage Introduced in Windows 10's version 1903.

Programs execution

Feature linked to the Windows Task, storing a number of metrics related to the Task bar usage.

Each operation (detailed below) is associated with an entry composed of the program full path and operation run count. No timestamp of execution is available. Subregistry keys: - AppSwitched: number of times an application was brought to focus (application left-clicked on the taskbar). - ShowJumpView: number of times the jump menu of an application was opened (application right-clicked on the taskbar). - AppBadgeUpdated: number of times an application on the taskbar has have its icon updated (for example for notifications). - AppLaunch: number of times an application pinned on the taskbar has been executed. - TrayButtonClicked: numer of times a default taskbar button (such as the Windows start button) was clicked.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry keys under HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage.

EVTX - PowerShell activity events

Programs execution and PowerShell activity

For more information: PowerShell activity note.

Microsoft-Windows-PowerShell%4Operational: - Event 4103, related to PowerShell modules. Requires PowerShell Module Logging to be enabled. - Event 4104, related to PowerShell script block. Requires PowerShell Script Block Logging to be enabled. By default, events will however be logged for potentially-malicious commands execution.

Microsoft-Windows-PowerShell%4Operational

PowerShell console activity ConsoleHost_history.txt Introduced in Windows 10 / PowerShell 5.

Programs execution and PowerShell activity

Starting with PowerShell v5 on Windows 10, the commands entered in a PowerShell console will be logged by the PSReadline module to an user-scoped ConsoleHost_history.txt file. Console-less PowerShell sessions, such as the content of PowerShell script or commands execution through the PowerShell ISE, will not be logged in this file. Bypassing PSReadline logging is also easy, as it simply requires to unload the PSReadline module (for instance with the Remove-Module PSReadline in an existing PowerShell session).

The ConsoleHost_history.txt file contains the commands entered, with one command per line and no associated timestamps (or any additional metadata). By default, the last 4096 commands are conserved.

%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt

.NET CLR UsageLogs

Programs execution

Following the execution (or in-memory injection) of a .NET assembly, the Common Language Runtime (CLR) creates a Usage Log file whose named is based on the name of the executed assembly. The file is written just prior the assembly execution terminate, and will thus not be written if the process does not gracefully exit.

The filename of the log file match the name of the assembly / binary executed. The file creation timestamp corresponds to the first time the associated assembly was executed and the file last modification timestamp corresponds to the last execution time of the assembly.

%SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\CLR_v<VERSION>\UsageLogs\<BINARY_NAME>.exe.log

NTUSER - RecentApps Introduced in Windows 10 1607 and removed in Windows 10 1709 (with the key not present on subsequent version).

Programs execution

Undocumented feature, added and (relatively) shortly after removed from the Windows operating system.

Each subkey, identified with a GUID, under the RecentApps key correspond to an executed program. In these application GUID subkeys, the filename, last access timestamp, and run count of the application are stored. Additionally, each application GUID subkey can have up to 10 subkeys, also identified with a GUID, that correspond to files accessed using the application. In these file GUID subkeys, the file name, file full path, and (on some OS version) an non-updated timestamp of last access. The last write timestamp of an application subkey can indicate when the program was last executed. While the last write timestamp of a file subkey can indicate when the file was accessed (with the associated program).

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\<GUID>

Jumplist

Programs execution

Detailed in Files and folders access

NTUSER - Explorer - Common Dialogs - CIDSizeMRU

Programs execution

Recently executed programs, linked to Common Dialogs activities (pop boxes to open / save file, print, find / replace, ...).

The key contains an ordered Most Recently Used (MRU) list of executed programs, identified through their filename. The last write timestamp of the key thus corresponds to the timestamp of execution of the most recently executed program (first in the MRU list).

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\CIDSizeMRU

NTUSER - Explorer - Common Dialogs - LastVisitedMRU / LastVisitedPidlMRU LastVisitedPidlMRULegacy Renamed in Windows Vista and later.

Programs execution

Records the programs used to open / save (some of) the file tracked in the OpenSaveMRU / OpenSavePidlMRU registry key. Notably used to track the last folder used by a given program in an "Open File" / "Save File" Common Dialogs window.

Applications tracked are stored in an ordered Most Recently Used (MRU) list. The last write timestamp of the key thus corresponds to the timestamp of execution of the most recently executed program (first in the MRU list). For each application, the full path of the folder can be constructed from information blocks on each subfolder in the location. For exemple, for the "%SystemRoot%\Users\Public\Documents" location, three blocks will be present: "Users", "Public", and "Documents". For each block, the created and last accessed timestamps and the MFT entry / sequence associated with the folder are referenced.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy

NTUSER - RunMRU

Programs execution

Tacks items (program, files / folders, URL, ...) launched from the Windows Run launcher (Windows + R shortcut). Entries are added / updated in near real-time.

Each entry successfully launched trough the Windows Run launcher is stored in a dedicated value under the Explorer\RunMRU key. The values are ordered in a Most recently used (MRU) list, specified in the MRUList value. Example: MRUList equals to ba means that the entry tagged as b was launched last / the most recently, preceded by the entry tagged as a. The last write timestamp of the key thus indicates the timestamp of the most recently entered item.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Files and folders access

Name Type Description Information / interpretation Location Tool(s)

Name	Type	Description	Information / interpretation	Location	Tool(s)
`NTUSER` & `UsrClass` - `Shellbag`	Folders access	Registry keys designed as an user experience enhancing feature to keep track of Windows explorer graphical display settings on a folder-by-folder basis. For instance, a `Shellbag` entry is used to store the "View" mode of a folder (details, list, small / medium / large icons) as well as the column displayed (entry names, dates, sizes, etc.) and their order. `Shellbags` contain folders and network shares to which a given user has navigated (using the `Windows Explorer`), but not files or subdirectories if they were not accessed. An exception is for `ZIP` files opened directly as folders through the `Windows Explorer`, that are stored as if they were folders (with their content thus partially referenced depending on the related activity). `Shellbags` entries are also generated for access to the `Control Panel` settings, on an interface-by-interface basis (`Windows Firewall`, `Credential Manager`). `Shellbags` entries are not deleted upon deletion of the related folders and can thus be a source of historical information. For more information: Shellbags note.	Various kinds of user activity may generate or update `Shellbag` entries (with different level of data depending on the activity): - First access or renaming of folders, removable devices, or network shares through the Windows Explorer systematically generate a `Shellbag` entry. - Graphical opening of compressed archives or ISOs. - ... `Shellbag` entries are stored in registry as a tree-like data structure, with the root target having the topmost `BagMRU` key. Each sub-target (sub directory for example) of the parent target are then represented with both: - A registry subkey, named with a numerical value (starting from `0`). - A registry value (in the parent target's registry key), named with the same numerical value and associated with binary data that notably contains the target's name. Each `Shellbag` `BagMRU` registry key also contains a `MRUListEx` value, that maintains the entries visited order, i.e the order in which the sub targets of a target were accessed (the last sub target accessed having a `MRU position` of 0). Each `Shellbags` entry for a given target yield the following notable information: - The target name and absolute path. - The target modified, access, and created (`MAC`) timestamps (UTC), retrieved from the `$MFT` at the `Shellbag` entry creation (and not further updated). - Additionally the `Shellbags` `BagMRU` hierarchical nature and `MRUListEx` list can be used to deduce the first and last interacted timestamps for some targets: > For entries that do not have subkeys (i.e directory for which no subdirectory were accessed), the first interacted timestamp is equal to the key's `LastWriteTime` timestamp. This is due to the fact that the key is created when a target is first accessed, and further activity for that target (such as display settings modifications) will only update the key's values. When a subkey is created for the target (i.e when a subdirectory is accessed for that particular directory), the timestamp becomes unreliable as it reflect the creation of the subkey. > The last interacted timestamp can be deducted for the sub target that was last interacted with (`MRU` position `0`), and is equal to the parent key's `LastWriteTime` timestamp. Major updates of the Windows operating system may however result in modification of `ShellBags` entries, resulting in updated last written timestamp.	Locations starting from Windows 7: `Windows Explorer` activity: File: `%SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat` Registry keys: `HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU` `HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags` Desktop and Network locations activity: File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry keys: `HKCU\Software\Microsoft\Windows\Shell\BagMRU` `HKCU\Software\Microsoft\Windows\Shell\Bags`	`ShellBagsExplorer` `SBECmd.exe`
`Jumplist`	Files and folders access	Linked to a taskbar user experience-enhancing feature that allows users to "jump" to files, folders or others elements by right clicking on open applications in the `Windows taskbar`. The `Windows Explorer`'s `Quick Access` feature also stores entries in `Jumplists`. Two forms of `Jumplists` are created: - Automatic entries for items recently accessed through the application: `<APP_IDENTIFIER>.automaticDestinations-ms` files. - Custom entries for application defined or manually "pinned" elements: `<APP_IDENTIFIER>.customDestinations-ms` files. For both `Jumplist` types, the `<APP_IDENTIFIER>` is a Windows set unique identifier that is used to link a particular application with its `Jumplists`. While no official mapping is documented, `JLECmd` maintains a list of known application identifiers. For more information: Jumplist note.	An application is associated with one `AutomaticDestinations` file and one `CustomDestinations` file, that share the `<APP_IDENTIFIER>` of the application. A `JumpList` is assimilable to a series / list of `shortcut files (LNK)`, each entry in the `JumpList` being a `shortcut file` structure. Thus the same level of information found in a `shortcut file` is available for each item referenced in an application `AutomaticDestinations` and `CustomDestinations` `JumpLists`.	`%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\.automaticDestinations-ms` `%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\.customDestinations-ms`
`LNK (shortcuts) Files`	Files and folders access	Windows Shell Items that reference an original file, folder, or application. While `shortcut files` can be created manually, the Windows operating system also creates `shortcut files` under numerous user activities, such as opening of a non-executable file. For instance, a `shortcut file` is created under `[...]\AppData\Roaming\Microsoft\Windows\Recent\` whenever a file is opened from the `Windows Explorer`. These automatically created and updated `shortcut files` are not deleted upon deletion of their associated files. For more information: LNKFile note.	The creation and modification timestamps of the shortcut file itself will usually respectively indicate when the target file was first and last opened. Each shortcut file additionally yield the following information: - The target file's absolute path, size and attributes (hidden, read-only, etc.). - The target file modified, access, and created (`MAC`) timestamps at the time of the last access to the target file. - Whether the target file was stored locally or on a remote network share. - Occasionally information on the volume of the target file: name, type (fixed vs removable storage media), serial number, and label / name if any. - Occasionally information on the host of the target file: system's NetBIOS hostname and MAC address.	Automatically created `shortcut files` for files opened from the Windows Explorer: `%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\.lnk` Documents opened using `Microsoft Office`: `%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Office\Recent\.lnk` `Shortcut files` created automatically by the `Windows Explorer` are referenced in the `NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` registry keys. `Startup folders` items: `%SystemDrive%:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp` `%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup`	`LECmd` `exiftool`
Windows 10 Timeline / `ActivitiesCache.db` Introduced in Windows 10's version 1803.	Files and folders access	Detailed in `Program execution`	-	-
`WebCacheV01.dat`	Files and folders access	Access to local files may appear in the `WebCacheV01.dat` `ESE` database. This database is mainly used to store browsing history, downloads, cache, and cookies (metadata) for the `Microsoft Internet Explorer` and `Microsoft Edge` (legacy) web browsers. However, access to local files, not necessarily through a web browser, may also appear in the `WebCacheV01.dat` database.	Access to local files will be identifiable by the `file` `URI` scheme (such as `file:///<DRIVE_LETTER>:/folder/file`).	`%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat`	`NirSoft's BrowsingHistoryView`
`NTUSER` - `Explorer` - Common Dialogs - `OpenSaveMRU` `OpenSavePidlMRU` Renamed in Windows Vista and later.	Files and folders access	Information on files opened or saved through the "Open File" or "Save File" `Common Dialogs` window.	The `OpenSaveMRU`/ `OpenSavePidlMRU` keys has multiple subkeys, one for each different file extensions (for the files opened / saved on the given system). Each subkey contains an ordered `Most recently used (MRU)` list of opened / saved files (full path of the file). The list can go up to 20 entries, with entries over 20 being overwritten. The last write timestamp of each subkey thus corresponds to the timestamp of opening / saving of the file in MRU position 0 (for a given file extension).	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU` `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU`
`NTUSER` - `Explorer` - `RecentDocs`	Files and folders access	Non-executable files opened through the Windows Explorer, stored as one subkey per file extension.	Each subkey contains the opened files of the given extension stored in a ordered `Most Recently Used (MRU)` list. The last written timestamp of the key correspond to the timestamp of the opening of the most recently accessed file (MRU position 0). Entry created under the RecentDocs registry keys are associated with a shortcut file under `%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\`.	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs`
`NTUSER` - `Explorer` - `TypedPaths`	Files and folders access	Paths entered (typed, pasted, or auto-completed) in the Windows Explorer location search bars. Entries are not added / updated in real-time, but are seemingly added / updated on user logoff / system reboot.	The file paths are stored as `url1` to `url[N]` in inversed chronological order. The last write timestamp of the key is thus the timestamp of visit of the most recently visited path. As program can be directly executed from the Windows Explorer search bar, traces of program executions may be found in the `TypedPaths` entries.	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths`
`NTUSER` - `Explorer` - `WordWheelQuery` Starting from Windows 7 and not present on Windows Server Operating Systems.	Files and folders access	Keywords searched in from the `Windows Explorer` search box, potentially resulting in files or folders access.	The entries are stored in a `Most Recently Used (MRU)` list. The last write timestamp of the key indicates the timestamp of the most recently searched keyword.	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery`
`Windows Search` database	Files and folders access	Detailed in `Filesystem`.	-	-
`NTUSER` - `RunMRU`	Files and folders access	Detailed in `Program execution`.	-	-
`NTUSER` - `RecentApps` Introduced in Windows 10 1607 and removed in Windows 10 1709 (with the key not present on subsequent version).	Files and folders access	Detailed in `Program execution`.	-	-
`NTUSER` - `MountPoints2`	Files and folders access	Currently or previously mapped drives (such as the system drive, USB devices, or network shares) mounted by the associated user.	Each drives is represented by a subkey, which is named as either the `volume GUID`, a letter, or, for network shares, using a specific nomenclature (`##<IP \| HOSTNAME>#<SHARE_NAME>`). For more information on `MountPoints2` related to devices, refer to `Devices and USB activity`.	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2`
`NTUSER` - `Map Network Drive MRU`	Files and folders access	Recently used network shares.	-	File: `%SystemDrive%:\Users\<USERNAME>\NTUSER.dat` Registry key: `HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU`
`EVTX` - `Security.evtx` - Network share access: `Audit File Share`	Network shared files and folders access	Events related to network shares: creation, deletion, modification, and access attempts of network shares. Do not track access to folders and files hosted on network shares. As there are no `System Access Control Lists` (`SACLs`) for shares, access to all shares on the system are audited.	Event `5140`: `A network share object was accessed` Generated every time a network share is accessed, but only once per session (upon first access attempt). `Object Type` is always `File` for this event. Event `5140`: `A network share object was accessed` Event `5142`: `A network share object was added` Event `5143`: `A network share object was modified` Event `5144`: `A network share object was deleted` All events include information about the account that performed the operation: username, domain, and `SID` as well as the `Logon ID` associated with the logon. Events `5140` also include network information: source IP address and port. Requires `Audit File Share` to be enabled.	`Security.evtx`
`EVTX` - `Security.evtx` - Network share access: `Audit Detailed File Share`	Network shared files and folders access	Event related to access to folders and files hosted on network shares. The event is generated upon every access to a network shared file or folder. Failure events are generated only when access is denied at the file share level. The event may thus not indicate that the access to the shared folder or file was successful.	Event `5145`: `A network share object was checked to see whether client can be granted desired access` Includes information about the account that performed the operation: username, domain, and `SID`, the `Logon ID` associated with the logon, and the source IP address and port. Requires `Audit Detailed File Share` to be enabled.	`Security.evtx`

NTUSER & UsrClass - Shellbag

Folders access

Registry keys designed as an user experience enhancing feature to keep track of Windows explorer graphical display settings on a folder-by-folder basis. For instance, a Shellbag entry is used to store the "View" mode of a folder (details, list, small / medium / large icons) as well as the column displayed (entry names, dates, sizes, etc.) and their order. Shellbags contain folders and network shares to which a given user has navigated (using the Windows Explorer), but not files or subdirectories if they were not accessed. An exception is for ZIP files opened directly as folders through the Windows Explorer, that are stored as if they were folders (with their content thus partially referenced depending on the related activity). Shellbags entries are also generated for access to the Control Panel settings, on an interface-by-interface basis (Windows Firewall, Credential Manager). Shellbags entries are not deleted upon deletion of the related folders and can thus be a source of historical information. For more information: Shellbags note.

Various kinds of user activity may generate or update Shellbag entries (with different level of data depending on the activity): - First access or renaming of folders, removable devices, or network shares through the Windows Explorer systematically generate a Shellbag entry. - Graphical opening of compressed archives or ISOs. - ... Shellbag entries are stored in registry as a tree-like data structure, with the root target having the topmost BagMRU key. Each sub-target (sub directory for example) of the parent target are then represented with both: - A registry subkey, named with a numerical value (starting from 0). - A registry value (in the parent target's registry key), named with the same numerical value and associated with binary data that notably contains the target's name. Each Shellbag BagMRU registry key also contains a MRUListEx value, that maintains the entries visited order, i.e the order in which the sub targets of a target were accessed (the last sub target accessed having a MRU position of 0). Each Shellbags entry for a given target yield the following notable information: - The target name and absolute path. - The target modified, access, and created (MAC) timestamps (UTC), retrieved from the $MFT at the Shellbag entry creation (and not further updated). - Additionally the Shellbags BagMRU hierarchical nature and MRUListEx list can be used to deduce the first and last interacted timestamps for some targets: > For entries that do not have subkeys (i.e directory for which no subdirectory were accessed), the first interacted timestamp is equal to the key's LastWriteTime timestamp. This is due to the fact that the key is created when a target is first accessed, and further activity for that target (such as display settings modifications) will only update the key's values. When a subkey is created for the target (i.e when a subdirectory is accessed for that particular directory), the timestamp becomes unreliable as it reflect the creation of the subkey. > The last interacted timestamp can be deducted for the sub target that was last interacted with (MRU position 0), and is equal to the parent key's LastWriteTime timestamp. Major updates of the Windows operating system may however result in modification of ShellBags entries, resulting in updated last written timestamp.

Locations starting from Windows 7: Windows Explorer activity: File: %SystemDrive%:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat Registry keys: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Desktop and Network locations activity: File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry keys: HKCU\Software\Microsoft\Windows\Shell\BagMRU HKCU\Software\Microsoft\Windows\Shell\Bags

ShellBagsExplorer SBECmd.exe

Jumplist

Files and folders access

Linked to a taskbar user experience-enhancing feature that allows users to "jump" to files, folders or others elements by right clicking on open applications in the Windows taskbar. The Windows Explorer's Quick Access feature also stores entries in Jumplists. Two forms of Jumplists are created: - Automatic entries for items recently accessed through the application: <APP_IDENTIFIER>.automaticDestinations-ms files. - Custom entries for application defined or manually "pinned" elements: <APP_IDENTIFIER>.customDestinations-ms files. For both Jumplist types, the <APP_IDENTIFIER> is a Windows set unique identifier that is used to link a particular application with its Jumplists. While no official mapping is documented, JLECmd maintains a list of known application identifiers. For more information: Jumplist note.

An application is associated with one AutomaticDestinations file and one CustomDestinations file, that share the <APP_IDENTIFIER> of the application. A JumpList is assimilable to a series / list of shortcut files (LNK), each entry in the JumpList being a shortcut file structure. Thus the same level of information found in a shortcut file is available for each item referenced in an application AutomaticDestinations and CustomDestinations JumpLists.

%SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms %SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-ms

LNK (shortcuts) Files

Files and folders access

Windows Shell Items that reference an original file, folder, or application. While shortcut files can be created manually, the Windows operating system also creates shortcut files under numerous user activities, such as opening of a non-executable file. For instance, a shortcut file is created under [...]\AppData\Roaming\Microsoft\Windows\Recent\ whenever a file is opened from the Windows Explorer. These automatically created and updated shortcut files are not deleted upon deletion of their associated files. For more information: LNKFile note.

The creation and modification timestamps of the shortcut file itself will usually respectively indicate when the target file was first and last opened. Each shortcut file additionally yield the following information: - The target file's absolute path, size and attributes (hidden, read-only, etc.). - The target file modified, access, and created (MAC) timestamps at the time of the last access to the target file. - Whether the target file was stored locally or on a remote network share. - Occasionally information on the volume of the target file: name, type (fixed vs removable storage media), serial number, and label / name if any. - Occasionally information on the host of the target file: system's NetBIOS hostname and MAC address.

Automatically created shortcut files for files opened from the Windows Explorer: %SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\*.lnk Documents opened using Microsoft Office: %SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Office\Recent\*.lnk Shortcut files created automatically by the Windows Explorer are referenced in the NTUSER.DAT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs registry keys. Startup folders items: %SystemDrive%:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp %SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

LECmd exiftool

Windows 10 Timeline / ActivitiesCache.db Introduced in Windows 10's version 1803.

Files and folders access

Detailed in Program execution

WebCacheV01.dat

Files and folders access

Access to local files may appear in the WebCacheV01.dat ESE database. This database is mainly used to store browsing history, downloads, cache, and cookies (metadata) for the Microsoft Internet Explorer and Microsoft Edge (legacy) web browsers. However, access to local files, not necessarily through a web browser, may also appear in the WebCacheV01.dat database.

Access to local files will be identifiable by the file URI scheme (such as file:///<DRIVE_LETTER>:/folder/file).

%LocalAppData%\Microsoft\Windows\WebCache\WebCacheV01.dat

NirSoft's BrowsingHistoryView

NTUSER - Explorer - Common Dialogs - OpenSaveMRU OpenSavePidlMRU Renamed in Windows Vista and later.

Files and folders access

Information on files opened or saved through the "Open File" or "Save File" Common Dialogs window.

The OpenSaveMRU/ OpenSavePidlMRU keys has multiple subkeys, one for each different file extensions (for the files opened / saved on the given system). Each subkey contains an ordered Most recently used (MRU) list of opened / saved files (full path of the file). The list can go up to 20 entries, with entries over 20 being overwritten. The last write timestamp of each subkey thus corresponds to the timestamp of opening / saving of the file in MRU position 0 (for a given file extension).

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU

NTUSER - Explorer - RecentDocs

Files and folders access

Non-executable files opened through the Windows Explorer, stored as one subkey per file extension.

Each subkey contains the opened files of the given extension stored in a ordered Most Recently Used (MRU) list. The last written timestamp of the key correspond to the timestamp of the opening of the most recently accessed file (MRU position 0). Entry created under the RecentDocs registry keys are associated with a shortcut file under %SystemDrive%:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

NTUSER - Explorer - TypedPaths

Files and folders access

Paths entered (typed, pasted, or auto-completed) in the Windows Explorer location search bars. Entries are not added / updated in real-time, but are seemingly added / updated on user logoff / system reboot.

The file paths are stored as url1 to url[N] in inversed chronological order. The last write timestamp of the key is thus the timestamp of visit of the most recently visited path. As program can be directly executed from the Windows Explorer search bar, traces of program executions may be found in the TypedPaths entries.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths

NTUSER - Explorer - WordWheelQuery Starting from Windows 7 and not present on Windows Server Operating Systems.

Files and folders access

Keywords searched in from the Windows Explorer search box, potentially resulting in files or folders access.

The entries are stored in a Most Recently Used (MRU) list. The last write timestamp of the key indicates the timestamp of the most recently searched keyword.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery

Windows Search database

Files and folders access

Detailed in Filesystem.

NTUSER - RunMRU

Files and folders access

Detailed in Program execution.

NTUSER - RecentApps Introduced in Windows 10 1607 and removed in Windows 10 1709 (with the key not present on subsequent version).

Files and folders access

Detailed in Program execution.

NTUSER - MountPoints2

Files and folders access

Currently or previously mapped drives (such as the system drive, USB devices, or network shares) mounted by the associated user.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2

NTUSER - Map Network Drive MRU

Files and folders access

Recently used network shares.

File: %SystemDrive%:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

EVTX - Security.evtx - Network share access: Audit File Share

Network shared files and folders access

Events related to network shares: creation, deletion, modification, and access attempts of network shares. Do not track access to folders and files hosted on network shares. As there are no System Access Control Lists (SACLs) for shares, access to all shares on the system are audited.

Event 5140: A network share object was accessed Generated every time a network share is accessed, but only once per session (upon first access attempt). Object Type is always File for this event. Event 5140: A network share object was accessed Event 5142: A network share object was added Event 5143: A network share object was modified Event 5144: A network share object was deleted All events include information about the account that performed the operation: username, domain, and SID as well as the Logon ID associated with the logon. Events 5140 also include network information: source IP address and port. Requires Audit File Share to be enabled.

Security.evtx

EVTX - Security.evtx - Network share access: Audit Detailed File Share

Network shared files and folders access

Event related to access to folders and files hosted on network shares. The event is generated upon every access to a network shared file or folder. Failure events are generated only when access is denied at the file share level. The event may thus not indicate that the access to the shared folder or file was successful.

Event 5145: A network share object was checked to see whether client can be granted desired access Includes information about the account that performed the operation: username, domain, and SID, the Logon ID associated with the logon, and the source IP address and port. Requires Audit Detailed File Share to be enabled.

Security.evtx