Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| .NET CLR UsageLogs | Page | Following the execution (or in-memory injection) of a .NET assembly, the Common Language Runtime (CLR) creates a Usage Log file whose named is based on the name of the executed assembly. Information of interest: the filename of the log file match the name of the assembly / binary executed. The file creation timestamp corresponds to the first time the associated assembly was executed and the file last modification timestamp corresponds to the last execution time of the assembly. |
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\CLR_v<VERSION>\<BINARY_NAME>.exe.log <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\CLR_v<VERSION>\UsageLogs\<BINARY_NAME>.exe.log <SYSTEMROOT>\System32\config\systemprofile\AppData\Local\Microsoft\CLR_<VERSION>\<BINARY_NAME>.exe.log <SYSTEMROOT>\System32\config\systemprofile\AppData\Local\Microsoft\CLR_<VERSION>\UsageLogs\<BINARY_NAME>.exe.log |
| Amcache / RecentFileCache | Page | Very complex artefact, linked to an application compatibility feature. Tracks program execution (or simply file presence for recent version), installed drivers, and shortcuts from a subset of folders. Program execution / binary presence information of interest: executable full path, program size, SHA1 (of the first 30MB of the executable). |
<SYSTEMROOT>\AppCompat\Programs\Amcache.hve Amcache DLL 6.1.7600 and older: <SYSTEMROOT>\AppCompat\Programs\RecentFileCache.bcf |
| Application Compatibility Cache / Shimcache | Page | Application compatibility feature that aim to maintain support of existing software to new versions of the Windows operating system. A Shimcache entry is created whenever a program is executed from a specific path. However, starting from Windows Vista and Windows Server 2008, entries may also be created for files in a directory that is accessed interactively. Stores up to 1024 entries starting from the Windows Vista and Windows Server 2008 operating systems. Information of interest: file full path, LastModifiedTime ($Standard_Information) timestamp of the file at the time of execution, the cache entry position (insertion position in the Shimcache), and from Windows Vista / Windows Server 2008 up to Windows 8.1 / Windows Server 2012 R2, an (undocumented) execution flag. |
SYSTEM registry hive. Registry keys: >= Windows Server 2003 and Windows XP 64-bit: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache Windows XP 32-bit: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache |
| ETW - PowerShell activity | Page | For local PowerShell activity. Windows PowerShell version 2.0, and prior versions, provide few useful audit settings, thereby limiting the availability of evidence (such as a command history). Starting with PowerShell v5, PowerShell logging was enhanced, with the notable addition of Script Block Logging, that record full contents of PowerShell code executed (both original and deobfuscated code). While Script Block Logging is not fully enabled by default, it will record events for code containing suspicious keywords (from a Microsoft pre-defined list). |
Channels: Windows PowerShell. Events: 400, 403, 500, 501, 600, 800. Microsoft-Windows-PowerShell\Operational. Events: 4100, 4103, 4104, 40961, 40962, 53504. Microsoft-Windows-AppLocker\MSI and Script. Events: 8005, 8006. |
| ETW - Process creation | Page | Process creation event. Requires "Audit Process Creation" to be enabled and ProcessCreationIncludeCmdLine_Enabled to be enabled for the command line to be logged. Events: Event ID 4688: "A new process has been created". Event ID 4689: "Process Termination: Success and Failure". |
Channel: Security. Events: 4688, 4689. |
| ETW - Registry Auto-Start Extensibility Points | Page | Events are generated for tasks executed through the Run and RunOnce registry keys. Additionally, events can be generated for modification of registry keys, but requires non-default audit settings and the configuration of SACL on the registry keys to audit. Main events: Channel: Microsoft-Windows-Shell-Core/Operational. Event ID 9707: "Started execution of command <COMMAND>". Event ID 9708: "Finished execution of command <COMMAND> (PID <PROCESS_ID>)". Channel: Security. Event ID 4657: "A registry value was modified". Requires non-default audit settings and the configuration of SACL on the registy keys to audit. |
Channels: Microsoft-Windows-Shell-Core/Operational. Events: 9705, 9707, 9708. Security. Event: 4657. |
| Jumplists | Page | Introduced in Windows 7, Jumplists are linked to a taskbar user experience-enhancing feature that allows users to "jump" to files, folders or others elements by right-clicking on open applications in the Windows taskbar. Information of interest: target file absolute path, size, attributes, and Modified, Access, and Birth timestamps (updated whenever the file is "jumped" to). Remote desktop connections made using the Windows built-in mstsc.exe client will generate an entry in the AutomaticDestinations JumpList that may reference the remote host. |
AutomaticDestinations: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\<APP_ID>.automaticDestinations-ms CustomDestinations: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\<APP_ID>.customDestinations-ms |
| PowerShell ConsoleHost_history | Page | Starting with PowerShell v5 on Windows 10, the commands entered in a PowerShell console will be logged by the PSReadline module to a user-scoped ConsoleHost_history.txt file. By default, only the last 4096 commands are stored. Information of interest: command entered, with no associated timestamps (or any additional metadata). The last entered command execution timestamp can be deduced from the last write timestamp of the ConsoleHost_history file itself. |
By default: <APPDATA>\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt i.e <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. |
| PowerShell Transcript | Page | PowerShell Transcript is a mechanism to record a PowerShell console session. The full console input and, depending on the transcript configuration, stdout and stderr streams are logged to a text file. This logging mechanism, disabled by default, is the only Windows built-in feature to gain extended visibility on PowerShell console interactions, and in particular to the results of PowerShell commands entered in a console. Contrary to Script Block Logging however, PowerShell Transcript does not include content of scripts executed and only the commands as they are entered in the PowerShell console. PowerShell Transcript can be enabled using the Start-Transcript cmdlet, by GPO, or directly in the registry. |
By default: <USERPROFILE>\Documents\PowerShell_transcript.*.txt However, alternative path, on the local filesystem or on a remote server, can be specified. |
| Prefetch | Page | Windows Prefetch is a performance enhancement feature that enables prefetching of applications to make system boots or applications startups faster. Prefetch is by default disabled on Windows Server operating systems and is limited to 128 entries on Windows XP to Windows 7 and 1024 entries starting from Windows 8. Prefetch files are created whenever a program is executed from a specific path. Information of interest: file name and size, first and, starting from Windows 8, last eight executions timestamps, run count, and list of files and directories accessed during the first ten seconds of execution (often including the full path of the executed file itself). |
<SYSTEMROOT>\Prefetch\<EXECUTABLE.EXE>-<RANDOM_ID>.pf Filename example: POWERSHELL.EXE-022A1004.pf |
| Program Compatibility Assistant (PCA) | Page | Introduced in Windows 11, the Program Compatibility Assistant (PCA) is an application compatibility feature that aim to maintain support of existing desktop applications to new versions of the Windows operating system. Information of interest, only for programs executed as GUI: file full path and timestamp of execution. More information available for executions resulting in non 0x0 exit code. |
Files under <SYSTEMROOT>\appcompat\pca\: PcaAppLaunchDic.txt PcaGeneralDb0.txt PcaGeneralDb1.txt |
| Registry - Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) | Page | Introduced in Windows 10 Fall Creators update - version 1709, the Background Activity Moderator (BAM) is a mostly undocumented feature that controls the programs executed in the background.The Desktop Activity Moderator (DAM) is a feature for mobile devices, that support the "Connected Standby" mode (and thus hold no data on Windows desktop or server). If a file is deleted, the eventual associated entry in the BAM is deleted as well after the system reboot. Additionally, BAM entries older than 7 days are deleted upon system boot. Information of interest: program full path, timestamp of execution, and executing user (as the values are grouped by user SID). |
File: <SYSTEMROOT>\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>\* HKLM\SYSTEM\CurrentControlSet\Services\dam\UserSettings\<SID>\* Starting from Windows 10 1809: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\<SID>\* HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\<SID>\* |
| Registry - Common Dialogs (ComDlg32) | Page | The registry keys under ComDlg32 are linked to the Common Dialogs boxes, such as the "Open" and "Save as" dialog boxes. OpenSaveMRU / OpenSavePidlMRU information of interest: full path of the last 20 files, for each file extension, opened or saved through a Common Dialogs box. LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy information of interest: some of the programs used to open / save the files tracked in the OpenSaveMRU / OpenSavePidlMRU registry key. The application filename and last folder accessed through a dialog box is tracked. The created and last accessed timestamps of each subfolder in the path of the last accessed folder are also stored. CIDSizeMRU information of interest: filename of the applications linked to Common Dialogs activity. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry subkeys under: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSaveMRU / OpenSavePidlMRU LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy CIDSizeMRU |
| Registry - FeatureUsage | Page | Introduced in Windows 10 version 1903, the FeatureUsage registry key is linked to the Windows Task, storing a number of metrics related to the Task bar usage. Information of interest: program full path and run counter of the associated taskbar operation (brought to focus, right-clicked, icon updated, etc.). No timestamp of execution / occurrence is available. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry subkeys under: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage AppSwitched, ShowJumpView, AppBadgeUpdated, AppLaunch, and TrayButtonClicked |
| Registry - MUICache | Page | The Multilanguage User Interface (MUI) is a feature to allow applications to have a single executable for multiple languages. The MUICache registry key references GUI program executions only. Information of interest: executable full path, executable PE FileDescription attribute (that references the original filename, allowing to identify renamed files), the executable PE CompanyName attribute. The MUICache does not provide a timestamp of execution. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat Registry keys: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MUICache HKCU\Local Settings\MuiCache |
| Registry - RecentApps | Page | Introduced in Windows 10 1607 and removed in Windows 10 1709 (with the key not present on subsequent versions), the RecentApps is an undocumented registry key that tracks program executions and files accessed by the tracked programs. Information of interest: filename, last access timestamp, and run count execution of the application. Additionally, 10 files accessed by the application (not necessarily the last files accessed) are tracked. For each file, the file name and file full path are referenced and the last access timestamp can be deduced (from the last write timestamp of the associated registry key). |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\<GUID> |
| Registry - RunMRU | Page | The RunMRU registry tracks items launched from the Windows Run launcher (Windows + R shortcut). Information of interest: values entered (program names, files / folders, URL, ...) in the Windows Run launcher, if associated with a successful launch. Values are ordered in a most recently used list. The timestamp of launch of the most recently launched item can thus be deduced from the last write timestamp of the registry key. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU |
| Registry - User Assist | Page | The UserAssist registry key references GUI program executions, and, starting from Windows 7, shortcut executions. Information of interest: full path of the executed program / shortcut (encoded in ROT13), sometimes the timestamp of the last execution, an unreliable run counter and focus count and time. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count Windows Xp: {75048700-EF1F-11D0-9888-006097DEACF9} (GUI program execution). Starting from Windows 7: {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} (GUI program execution). {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} (shortcut execution). |
| System Resource Usage Monitor (SRUM) | Page | Introduced in Windows 8, the System Resource Usage Monitor (SRUM) is a feature that records numerous metrics of system activities. The SRUM database only stores data for the last 30 to 60 days. Entries are not associated with their timestamp of occurrence but with the timestamp of insertion in the SRUM database (every hour). Information of interest: executable full path, executing user SID, metrics on CPU usage, I/O and network activity per execution. |
<SYSTEMROOT>\System32\SRU\SRUDB.dat |
| Windows 10 Timeline / ActivitiesCache.db | Page | Introduced in Windows 10 version 1803, the Windows Activity history tracks a number of operations on the system: programs used, local files opened, SharePoint documents consulted, and websites browsed (using Internet Explorer / Microsoft Edge Legacy). The ActivitiesCache.db database only stores data for the last 30 days by default. Information of interest, that depends on the activity type: start and end times of the activity (in UTC), executable full path for program execution, file name / SharePoint link for files accessed using certain programs, created and last modified timestamp of the associated file, etc. The history of the clipboard data may also be stored for a short amount of time (approximately 12 hours) in non default configuration. |
<SYSTEMROOT>\Users\<USERNAME>\AppData\Local\ConnectedDevicesPlatform\[L.<USERNAME> | *]\ActivitiesCache.db |
| Windows Defender - Quarantine | Page | Windows Defender quarantines files that were detected as malicious, storing the full content of the files. It is thus possible to recover the quarantined files for further investigation. Additionally, Windows Defender stores some metadata on each detection under the "Windows Defender\Quarantine" folder, including the original file path of the file, the timestamp of quarantine, and the associated threat name. |
Quarantined files: <SYSTEM_DRIVE>\ProgramData\Microsoft\Windows Defender\Quarantine\ResourceData Metadata on the detections associated with quarantined files: <SYSTEM_DRIVE>\ProgramData\Microsoft\Windows Defender\Quarantine\Entries |
| Windows Defender - Support logs | Page | Windows Defender stores on disk a number of plain-text log files. Among these log files, the Microsoft Protection Log (MPLog) log includes a number of event types related to past Windows Defender scanning activity and detections. The MPLog can notably be a source of historical information on: - Program and suspicious command line executions. - Files existence and access. - Windows Defender configuration state, detections, and other telemetry. |
Log files, and notably "MPLog-YYMMDD-hhmmss.log", under: <SYSTEMDRIVE>\ProgramData\Microsoft\Windows Defender\Support |
View on GitHub