Automatically generated based on tag:
| Title | Type | Summary | Location |
|---|---|---|---|
| Application Compatibility Cache / Shimcache | Page | Application compatibility feature that aim to maintain support of existing software to new versions of the Windows operating system. A Shimcache entry is created whenever a program is executed from a specific path. However, starting from Windows Vista and Windows Server 2008, entries may also be created for files in a directory that is accessed interactively. Stores up to 1024 entries starting from the Windows Vista and Windows Server 2008 operating systems. Information of interest: file full path, LastModifiedTime ($Standard_Information) timestamp of the file at the time of execution, the cache entry position (insertion position in the Shimcache), and from Windows Vista / Windows Server 2008 up to Windows 8.1 / Windows Server 2012 R2, an (undocumented) execution flag. While the insert / execution flag is no longer present starting from Windows 10 / Windows Server 2016, the last 4 bytes of an entry can be an indicator of execution, for non-native Windows binaries, if set to 1. |
SYSTEM registry hive. Registry keys: >= Windows Server 2003 and Windows XP 64-bit: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\AppCompatCache Windows XP 32-bit: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility\AppCompatCache |
| Registry - Auto-Start Extensibility Points | Page | A number of registry keys, known as Auto-Start Extensibility Points (ASEP) registry keys, are run whenever the system is booted or a specific user logs in. The ASEP keys under HKLM are run every time the system is started, while the ASEP keys under HKCU are only executed when the user associated with the keys logs onto the system. While a subset of ASEP registry keys are leveraged by threat actors, hundreds of keys may be used to execute a program at boot or following a user logging. |
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Shell HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Startup HKLM\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon HKCU\SOFTWARE\Policies\Microsoft\Windows\System\Scripts\Logon ... |
| Registry - Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) | Page | Introduced in Windows 10 Fall Creators update - version 1709, the Background Activity Moderator (BAM) is a mostly undocumented feature that controls the programs executed in the background.The Desktop Activity Moderator (DAM) is a feature for mobile devices, that support the "Connected Standby" mode (and thus hold no data on Windows desktop or server). If a file is deleted, the eventual associated entry in the BAM is deleted as well after the system reboot. Additionally, BAM entries older than 7 days are deleted upon system boot. Information of interest: program full path, timestamp of execution, and executing user (as the values are grouped by user SID). |
File: <SYSTEMROOT>\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\<SID>\* HKLM\SYSTEM\CurrentControlSet\Services\dam\UserSettings\<SID>\* Starting from Windows 10 1809: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\<SID>\* HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings\<SID>\* |
| Registry - Common Dialogs (ComDlg32) | Page | The registry keys under ComDlg32 are linked to the Common Dialogs boxes, such as the "Open" and "Save as" dialog boxes. OpenSaveMRU / OpenSavePidlMRU information of interest: full path of the last 20 files, for each file extension, opened or saved through a Common Dialogs box. LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy information of interest: some of the programs used to open / save the files tracked in the OpenSaveMRU / OpenSavePidlMRU registry key. The application filename and last folder accessed through a dialog box is tracked. The created and last accessed timestamps of each subfolder in the path of the last accessed folder are also stored. CIDSizeMRU information of interest: filename of the applications linked to Common Dialogs activity. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry subkeys under: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\ OpenSaveMRU / OpenSavePidlMRU LastVisitedMRU / LastVisitedPidlMRU / LastVisitedPidlMRULegacy CIDSizeMRU |
| Registry - Devices and USB activity | Page | The registry hold numerous information on currently and previously plugged devices, such as USB devices. The information is stored across a number of registry keys. Given a known variable about a device as input (such as the device serial number for example), other identifiers can be retrieved from the registry: serial number, vendor ID, product ID, device id (vendor and product names), instance ID, device interface class, associated volume friendly name and volume letter, etc. The first and last plugged-in timestamps, and last unplugged timestamp (for Windows 7 / 8 and later) of a device are also stored in the registry (Enum\USB and Enum\USBSTOR registry keys). |
HKLM\SYSTEM - Enum\USB HKLM\SYSTEM - Enum\USBSTOR HKLM\SYSTEM - Enum\SWD\WPDBUSENUM HKLM\SYSTEM - MountedDevices HKLM\SYSTEM - DeviceClasses HKLM\SOFTWARE - Windows Portable Devices HKLM\SOFTWARE - VolumeInfoCache HKLM\SOFTWARE - EMDMgmt HKCU\SOFTWARE - MountPoints2 |
| Registry - FeatureUsage | Page | Introduced in Windows 10 version 1903, the FeatureUsage registry key is linked to the Windows Task, storing a number of metrics related to the Task bar usage. Information of interest: program full path and run counter of the associated taskbar operation (brought to focus, right-clicked, icon updated, etc.). No timestamp of execution / occurrence is available. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry subkeys under: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage AppSwitched, ShowJumpView, AppBadgeUpdated, AppLaunch, and TrayButtonClicked |
| Registry - Map Network Drive MRU | Page | The Map Network Drive MRU registry key references the recently used network shares. Information of interest: UNC path of the network shares (such as "<IP | HOSTNAME>\<SHARE_NAME>"). Values are ordered in a most recently used list. The timestamp of access of the most recently access share can thus be deduced from the last write timestamp of the registry key. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat. Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU |
| Registry - MountPoints2 | Page | The MountPoints2 registry key references the currently or previously mapped drives (such as the system drive, USB devices, or network shares) mounted by the associated user. Information of interest: each drive is represented by a subkey, which is named as either the volume GUID, a letter, or, for network shares "##<IP | HOSTNAME>#<SHARE_NAME>". |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat. Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 |
| Registry - MUICache | Page | The Multilanguage User Interface (MUI) is a feature to allow applications to have a single executable for multiple languages. The MUICache registry key references GUI program executions only. Information of interest: executable full path, executable PE FileDescription attribute (that references the original filename, allowing to identify renamed files), the executable PE CompanyName attribute. The MUICache does not provide a timestamp of execution. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat Registry keys: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MUICache HKCU\Local Settings\MuiCache |
| Registry - Overview | Page | The Registry is a feature to store settings, for the operating system and applications, in system-wide or per-users hierarchical databases or hives. Before being written / committed to a file on disk, registry modifications can be written to Registry Transaction logs (such as SYSTEM.LOG1 and SYSTEM.LOG2 for the SYSTEM registry hive). |
System-wide registry is mapped to the HKEY_LOCAL_MACHINE (HKLM) root key in memory. Associated files on disk, under <SYSTEMROOT>\System32\config\: SYSTEM, SOFTWARE, SECURITY, SAM. Per user registry is mapped to the HKEY_CURRENT_USER (HKCU) root key in memory. Associated files on disk: <SYSTEMDRIVE>\Users\<USERNAME>\NTUSER.dat <SYSTEMDRIVE>\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat. |
| Registry - PortProxy | Page | The PortProxy registry key stores the port forwards configured on the local system using the netsh built-in utility. Information of interest: the local and remote IP address:port of each port forward. |
File: <SYSTEMROOT>\System32\config\SYSTEM Registry key: HKLM\SYSTEM\CurrentControlSet\Services\PortProxy\* IPv4 endpoint to IPv4 endpoint: v4tov4\tcp subkey. |
| Registry - RecentApps | Page | Introduced in Windows 10 1607 and removed in Windows 10 1709 (with the key not present on subsequent versions), the RecentApps is an undocumented registry key that tracks program executions and files accessed by the tracked programs. Information of interest: filename, last access timestamp, and run count execution of the application. Additionally, 10 files accessed by the application (not necessarily the last files accessed) are tracked. For each file, the file name and file full path are referenced and the last access timestamp can be deduced (from the last write timestamp of the associated registry key). |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\<GUID> |
| Registry - RunMRU | Page | The RunMRU registry tracks items launched from the Windows Run launcher (Windows + R shortcut). Information of interest: values entered (program names, files / folders, URL, ...) in the Windows Run launcher, if associated with a successful launch. Values are ordered in a most recently used list. The timestamp of launch of the most recently launched item can thus be deduced from the last write timestamp of the registry key. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU |
| Registry - Scheduled tasks (Taskcache) | Page | Scheduled tasks are used to automatically perform a task on the system whenever the criteria associated to the scheduled task occurs. A scheduled task can be created through direct manipulation of the registry in order to avoid the generation of task creation ETW events. Information of interest, for each task under its associated "Taskcache\Tasks\<TASK_GUID>" and "Taskcache\Tree\<TASK_NAME>" subkeys: task name and file path, lifecycle timestamps (created on, last start, and last stop), and trigger(s) and action(s). The lifecycle timestamps, trigger(s), and action(s) are in binary, non human readable format. |
File: <SYSTEMROOT>\System32\config\SOFTWARE Registry keys: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tasks\<TASK_GUID> HKLM\Software\Microsoft\Windows NT\CurrentVersion\Schedule\Taskcache\Tree\<TASK_NAME> |
| Registry - Services | Page | The Services registry key hold the configuration information of the installed Windows services. Information of interest, for each service: service name and display name, image or DLL path, service type, service start mode, and eventual Windows privileges required. The timestamp of a service creation, or last configuration update, can be deduced from the last write timestamp of its registry key. |
File: <SYSTEMROOT>\System32\config\SYSTEM Registry keys: HKLM\SYSTEM\CurrentControlSet\Services\<SERVICE_NAME> |
| Registry - Shellbags | Page | The Shellbags are Windows Registry keys designed as a user experience enhancing feature to keep track of Windows explorer graphical display settings on a folder-by-folder basis. Shellbags contain folders and network shares to which a given user has navigated (using the Windows Explorer), but not the content of a directory. Files will thus not be referenced and subdirectories will only be referenced if they were navigated into. Shellbag entries are stored in registry as a tree-like hierarchical data structure, allowing to reconstitute the browsed directories arborescence. Information of interest, for each Shellbags entry on a given target / directory: - Target name and absolute path. - Target Modified, Access, and Created (MAC) timestamps (in UTC) retrieved from the $MFT at the Shellbag entry creation (and not further updated). - The order in which the sub-targets of a target were accessed (maintained in a MRUList list). Additionally, the first and last interacted timestamps can be indirectly deducted for some targets. |
Locations starting from Windows 7: Windows Explorer activity: File: <SYSTEMDRIVE>:\Users\<USERNAME>\AppData\Local\Microsoft\Windows\UsrClass.dat Registry keys: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Desktop and Network locations activity: File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry keys: HKCU\Software\Microsoft\Windows\Shell\BagMRU HKCU\Software\Microsoft\Windows\Shell\Bags. |
| Registry - System Information | Page | Various information about the local system as stored in the registry: computer hostname and domain, local users, network interfaces, system timezone, exposed network shares, firewall status and rules, SID of users that have interactively logged-in, installed applications, etc. | HKLM\SYSTEM - ComputerName HKLM\SOFTWARE - CurrentVersion HKLM\SECURITY - Policy HKLM\SOFTWARE - ProfileList HKLM\SAM - Users HKLM\SYSTEM - TimeZoneInformation HKLM\SYSTEM - Select HKLM\SYSTEM - Interfaces HKLM\SYSTEM - NetworkList HKLM\SYSTEM - LanmanServer\Shares HKLM\SYSTEM - FirewallPolicy HKLM\SOFTWARE & NTUSER - App Paths HKLM\SOFTWARE & NTUSER - Uninstall |
| Registry - Terminal Server Client\Servers | Page | The Terminal Server Client\Servers registry key tracks the remote hosts the associated user connected to using the built-in mstsc.exe Remote Desktop client. Information of interest: IP address of the remote host and eventual saved username associated with the remote host. The the last write timestamp may be an indicator of the first access to the remote host. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Terminal Server Client\Servers\<IP> |
| Registry - Timestamp and timestomping | Page | The last write / modified timestamp of a registry key is the only generic timestamp available regarding registry keys and correspond to the last time a write operation occurred on the key. There is indeed no last write / modified timestamp for registry value. Similarly to MFT MACB timestamp, the last write / modified timestamp of a registry key can be timestomped, which is something hard to detect without dedicated monitoring tools. |
|
| Registry - Tools | Page | Tools for processing the Windows Registry, including: RegistryExplorer, RECmd, and RegRipper. | |
| Registry - TypedURLs | Page | The TypedURLs registry key tracks URL entered (typed, pasted, or auto-completed) in the Internet Explorer (IE) web browser search bar. Web searches are not stored, only the URLs entered are tracked. Information of interest: URL entered in the IE search bar. Values are stored in inverse chronological order. The timestamp of last visit of the most recently visited URL can thus be deduced from the last write timestamp of the registry key. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedURLs |
| Registry - User Assist | Page | The UserAssist registry key references GUI program executions, and, starting from Windows 7, shortcut executions. Information of interest: full path of the executed program / shortcut (encoded in ROT13), sometimes the timestamp of the last execution, an unreliable run counter and focus count and time. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\<GUID>\Count Windows Xp: {75048700-EF1F-11D0-9888-006097DEACF9} (GUI program execution). Starting from Windows 7: {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} (GUI program execution). {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} (shortcut execution). |
| Registry - WordWheelQuery | Page | Introduced in Windows 7, and not present in Windows Server operating systems, the WordWheelQuery registry key tracks the keywords searched in the Windows Explorer search box. Information of interest: term / keywords entered in the Windows Explorer search box. Values are ordered in a most recently used list. The timestamp of search of the most recently searched item can thus be deduced from the last write timestamp of the registry key. |
File: <SYSTEMDRIVE>:\Users\<USERNAME>\NTUSER.dat Registry key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery |
View on GitHub