Automatically generated based on tag:

TitleTypeSummaryLocation
Application Compatibility Cache / Shimcache Page Application compatibility feature that aim to maintain support of existing software to new versions of the Windows operating system.

A Shimcache entry is created whenever a program is executed from a specific path. However, starting from Windows Vista and Windows Server 2008, entries may also be created for files in a directory that is accessed interactively.

Stores up to 1024 entries starting from the Windows Vista and Windows Server 2008 operating systems.

Information of interest: file full path, LastModifiedTime ($Standard_Information) timestamp of the file at the time of execution, the cache entry position (insertion position in the Shimcache), and from Windows Vista / Windows Server 2008 up to Windows 8.1 / Windows Server 2012 R2, an (undocumented) execution flag.

While the insert / execution flag is no longer present starting from Windows 10 / Windows Server 2016, the last 4 bytes of an entry can be an indicator of execution, for non-native Windows binaries, if set to 1.
SYSTEM registry hive.

Registry keys:

>= Windows Server 2003 and Windows XP 64-bit:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache

Windows XP 32-bit:
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache
Registry - Auto-Start Extensibility Points Page A number of registry keys, known as Auto-Start Extensibility Points (ASEP) registry keys, are run whenever the system is booted or a specific user logs in.

The ASEP keys under HKLM are run every time the system is started, while the ASEP keys under HKCU are only executed when the user associated with the keys logs onto the system.

While a subset of ASEP registry keys are leveraged by threat actors, hundreds of keys may be used to execute a program at boot or following a user logging.
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup
HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup

HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon
HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon

...
Registry - Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) Page Introduced in Windows 10 Fall Creators update - version 1709, the Background Activity Moderator (BAM) is a mostly undocumented feature that controls the programs executed in the background.The Desktop Activity Moderator (DAM) is a feature for mobile devices, that support the "Connected Standby" mode (and thus hold no data on Windows desktop or server).

If a file is deleted, the eventual associated entry in the BAM is deleted as well after the system reboot. Additionally, BAM entries older than 7 days are deleted upon system boot.

Information of interest: program full path, timestamp of execution, and executing user (as the values are grouped by user SID).
File: <SYSTEMROOT>\System32\config\SYSTEM

Registry key:
HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>\*
HKLM\SYSTEM\CurrentControlSet\Services\dam\UserSettings\<SID>\*

Starting from Windows 10 1809:
HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\<SID>\*
HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\<SID>\*
Registry - Common Dialogs (ComDlg32) Page The registry keys under ComDlg32 are linked to the Common Dialogs boxes, such as the "Open" and "Save as" dialog boxes.

OpenSaveMRU / OpenSavePidlMRU information of interest: full path of the last 20 files, for each file extension, opened or saved through a Common Dialogs box.

LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy information of interest: some of the programs used to open / save the files tracked in the OpenSaveMRU / OpenSavePidlMRU registry key. The application filename and last folder accessed through a dialog box is tracked. The created and last accessed timestamps of each subfolder in the path of the last accessed folder are also stored.

CIDSizeMRU information of interest: filename of the applications linked to Common Dialogs activity.
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry subkeys under:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\

OpenSaveMRU / OpenSavePidlMRU

LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy

CIDSizeMRU
Registry - Devices and USB activity Page The registry hold numerous information on currently and previously plugged devices, such as USB devices. The information is stored across a number of registry keys.

Given a known variable about a device as input (such as the device serial number for example), other identifiers can be retrieved from the registry: serial number, vendor ID, product ID, device id (vendor and product names), instance ID, device interface class, associated volume friendly name and volume letter, etc.

The first and last plugged-in timestamps, and last unplugged timestamp (for Windows 7 / 8 and later) of a device are also stored in the registry (Enum\USB and Enum\USBSTOR registry keys).
HKLM\SYSTEM - Enum\USB

HKLM\SYSTEM - Enum\USBSTOR

HKLM\SYSTEM - Enum\SWD\WPDBUSENUM

HKLM\SYSTEM - MountedDevices

HKLM\SYSTEM - DeviceClasses

HKLM\SOFTWARE - Windows Portable Devices

HKLM\SOFTWARE - VolumeInfoCache

HKLM\SOFTWARE - EMDMgmt

HKCU\SOFTWARE - MountPoints2
Registry - FeatureUsage Page Introduced in Windows 10 version 1903, the FeatureUsage registry key is linked to the Windows Task, storing a number of metrics related to the Task bar usage.

Information of interest: program full path and run counter of the associated taskbar operation (brought to focus, right-clicked, icon updated, etc.).

No timestamp of execution / occurrence is available.
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry subkeys under:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage

AppSwitched, ShowJumpView, AppBadgeUpdated, AppLaunch, and TrayButtonClicked
Registry - Map Network Drive MRU Page The Map Network Drive MRU registry key references the recently used network shares.

Information of interest: UNC path of the network shares (such as "<IP | HOSTNAME>\<SHARE_NAME>").

Values are ordered in a most recently used list. The timestamp of access of the most recently access share can thus be deduced from the last write timestamp of the registry key.
File:
<SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat.

Registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
Registry - MountPoints2 Page The MountPoints2 registry key references the currently or previously mapped drives (such as the system drive, USB devices, or network shares) mounted by the associated user.

Information of interest: each drive is represented by a subkey, which is named as either the volume GUID, a letter, or, for network shares "##<IP | HOSTNAME>#<SHARE_NAME>".
File:
<SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat.

Registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2
Registry - MUICache Page The Multilanguage User Interface (MUI) is a feature to allow applications to have a single executable for multiple languages.

The MUICache registry key references GUI program executions only.

Information of interest: executable full path, executable PE FileDescription attribute (that references the original filename, allowing to identify renamed files), the executable PE CompanyName attribute.

The MUICache does not provide a timestamp of execution.
File:
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat

Registry keys:
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MUICache
HKCU\Local Settings\MuiCache
Registry - Overview Page The Registry is a feature to store settings, for the operating system and applications, in system-wide or per-users hierarchical databases or hives.

Before being written / committed to a file on disk, registry modifications can be written to Registry Transaction logs (such as SYSTEM.LOG1 and SYSTEM.LOG2 for the SYSTEM registry hive).
System-wide registry is mapped to the HKEY_LOCAL_MACHINE (HKLM) root key in memory.
Associated files on disk, under <SYSTEMROOT>\System32\config\: SYSTEM, SOFTWARE, SECURITY, SAM.

Per user registry is mapped to the HKEY_CURRENT_USER (HKCU) root key in memory.
Associated files on disk:
<SYSTEMDRIVE>\Users\<USERNAME>\NTUSER.dat
<SYSTEMDRIVE>\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat.
Registry - PortProxy Page The PortProxy registry key stores the port forwards configured on the local system using the netsh built-in utility.

Information of interest: the local and remote IP address:port of each port forward.
File: <SYSTEMROOT>\System32\config\SYSTEM

Registry key:
HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\*

IPv4 endpoint to IPv4 endpoint: v4tov4\tcp subkey.
Registry - RecentApps Page Introduced in Windows 10 1607 and removed in Windows 10 1709 (with the key not present on subsequent versions), the RecentApps is an undocumented registry key that tracks program executions and files accessed by the tracked programs.

Information of interest: filename, last access timestamp, and run count execution of the application.

Additionally, 10 files accessed by the application (not necessarily the last files accessed) are tracked. For each file, the file name and file full path are referenced and the last access timestamp can be deduced (from the last write timestamp of the associated registry key).
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\<GUID>
Registry - RunMRU Page The RunMRU registry tracks items launched from the Windows Run launcher (Windows + R shortcut).

Information of interest: values entered (program names, files / folders, URL, ...) in the Windows Run launcher, if associated with a successful launch.

Values are ordered in a most recently used list. The timestamp of launch of the most recently launched item can thus be deduced from the last write timestamp of the registry key.
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Registry - Scheduled tasks (Taskcache) Page Scheduled tasks are used to automatically perform a task on the system whenever the criteria associated to the scheduled task occurs.

A scheduled task can be created through direct manipulation of the registry in order to avoid the generation of task creation ETW events.

Information of interest, for each task under its associated "Taskcache\Tasks\<TASK_GUID>" and "Taskcache\Tree\<TASK_NAME>" subkeys: task name and file path, lifecycle timestamps (created on, last start, and last stop), and trigger(s) and action(s).

The lifecycle timestamps, trigger(s), and action(s) are in binary, non human readable format.
File: <SYSTEMROOT>\System32\config\SOFTWARE

Registry keys:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\<TASK_GUID>
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\<TASK_NAME>
Registry - Services Page The Services registry key hold the configuration information of the installed Windows services.

Information of interest, for each service: service name and display name, image or DLL path, service type, service start mode, and eventual Windows privileges required.

The timestamp of a service creation, or last configuration update, can be deduced from the last write timestamp of its registry key.
File: <SYSTEMROOT>\System32\config\SYSTEM

Registry keys: HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME>
Registry - Shellbags Page The Shellbags are Windows Registry keys designed as a user experience enhancing feature to keep track of Windows explorer graphical display settings on a folder-by-folder basis.

Shellbags contain folders and network shares to which a given user has navigated (using the Windows Explorer), but not the content of a directory. Files will thus not be referenced and subdirectories will only be referenced if they were navigated into.

Shellbag entries are stored in registry as a tree-like hierarchical data structure, allowing to reconstitute the browsed directories arborescence.

Information of interest, for each Shellbags entry on a given target / directory:

- Target name and absolute path.

- Target Modified, Access, and Created (MAC) timestamps (in UTC) retrieved from the $MFT at the Shellbag entry creation (and not further updated).

- The order in which the sub-targets of a target were accessed (maintained in a MRUList list).

Additionally, the first and last interacted timestamps can be indirectly deducted for some targets.
Locations starting from Windows 7:

Windows Explorer activity:

File:
<SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat

Registry keys:
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags

Desktop and Network locations activity:

File:
<SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry keys:
HKCU\Software\Microsoft\Windows\Shell\BagMRU
HKCU\Software\Microsoft\Windows\Shell\Bags.
Registry - System Information Page Various information about the local system as stored in the registry: computer hostname and domain, local users, network interfaces, system timezone, exposed network shares, firewall status and rules, SID of users that have interactively logged-in, installed applications, etc. HKLM\SYSTEM - ComputerName

HKLM\SOFTWARE - CurrentVersion

HKLM\SECURITY - Policy

HKLM\SOFTWARE - ProfileList

HKLM\SAM - Users

HKLM\SYSTEM - TimeZoneInformation

HKLM\SYSTEM - Select

HKLM\SYSTEM - Interfaces

HKLM\SYSTEM - NetworkList

HKLM\SYSTEM - LanmanServer\Shares

HKLM\SYSTEM - FirewallPolicy

HKLM\SOFTWARE & NTUSER - App Paths

HKLM\SOFTWARE & NTUSER - Uninstall
Registry - Terminal Server Client\Servers Page The Terminal Server Client\Servers registry key tracks the remote hosts the associated user connected to using the built-in mstsc.exe Remote Desktop client.

Information of interest: IP address of the remote host and eventual saved username associated with the remote host.

The the last write timestamp may be an indicator of the first access to the remote host.
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry key: HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers\<IP>
Registry - Timestamp and timestomping Page The last write / modified timestamp of a registry key is the only generic timestamp available regarding registry keys and correspond to the last time a write operation occurred on the key.

There is indeed no last write / modified timestamp for registry value.

Similarly to MFT MACB timestamp, the last write / modified timestamp of a registry key can be timestomped, which is something hard to detect without dedicated monitoring tools.
Registry - Tools Page Tools for processing the Windows Registry, including: RegistryExplorer, RECmd, and RegRipper.
Registry - TypedURLs Page The TypedURLs registry key tracks URL entered (typed, pasted, or auto-completed) in the Internet Explorer (IE) web browser search bar. Web searches are not stored, only the URLs entered are tracked.

Information of interest: URL entered in the IE search bar.

Values are stored in inverse chronological order. The timestamp of last visit of the most recently visited URL can thus be deduced from the last write timestamp of the registry key.
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs
Registry - User Assist Page The UserAssist registry key references GUI program executions, and, starting from Windows 7, shortcut executions.

Information of interest: full path of the executed program / shortcut (encoded in ROT13), sometimes the timestamp of the last execution, an unreliable run counter and focus count and time.
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry key:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count

Windows Xp:
{75048700-EF1F-11D0-9888-006097DEACF9} (GUI program execution).

Starting from Windows 7:
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} (GUI program execution).
{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} (shortcut execution).
Registry - WordWheelQuery Page Introduced in Windows 7, and not present in Windows Server operating systems, the WordWheelQuery registry key tracks the keywords searched in the Windows Explorer search box.

Information of interest: term / keywords entered in the Windows Explorer search box.

Values are ordered in a most recently used list. The timestamp of search of the most recently searched item can thus be deduced from the last write timestamp of the registry key.
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat

Registry key:
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery


View on GitHub