Misc Artifacts - Foren-Ken/tech-journal GitHub Wiki
CurrentControlSet
Tool: Registry Explorer
| Artifact | Location | Usage |
|---|---|---|
| CurrentControlSet | HKEY_LOCAL_MACHINE\SYSTEM\Select - Current | Location |
Time Zone Infomraiton
Tool: Registry Explorer
Bias / Daylight Bias = UTC +/- X
| Artifact | Location | Usage |
|---|---|---|
| TimeZoneInfomration | HKEY_LOCATION_MACHINE\SYSTEM\CurrentControlSet\ Control\TimeZoneInformation | Artifact Location |
Logon Programs
| Artifact | Location | Usage |
|---|---|---|
| Local Machine Run | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run | Contains information on programs which run when the Windows OS starts |
| Local Machine RunOnce | HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce | Contains infomration on programs which only run once when the Windows OS starts. |
| Current User Run | HKCU\Software\Microsoft\Windows\CurrentVersion\Run | Displays programs which run |
| Current User RunOnce | HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce |
MRU Lists
| Artifact | Location | Usage |
|---|---|---|
| RunMRU | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU | Displays commands ran through Windows Key + R |
| Typed Paths | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths | |
| OpenSaveMRU | HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU |