Program Execution Traces - Foren-Ken/tech-journal GitHub Wiki
UserAssist
Tool: Registry Explorer v2.0.0.0
UserAssist is meant to obtain statistics on user usage for better usage. Provides the following information:
- File Path
- Session ID
- Program Run Counter
- Last time program was run
| Artifact | Location | Purpose |
|---|---|---|
| UserAssist | HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\UserAssist | Provides evidence that a program was run. Underneath UserAssist will be {guid}. {guid} splits executables among the different ways to execute a file. |
| Focus Time | HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\UserAssist | Provides information about how long a window was in the front of all others. |
AppCompatCache
Tool: Registry Explorer v2.0.0.0
Utilizes AppCompatCache (a functionality which checks if an executable is compatible with the operating system). This can be used to prove if a file was run.
| Artifact | Location | Purpose |
|---|---|---|
| AppCompatCache | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Control\SessionManager\AppCompatCache | Stores timestamps on last modification time. Does not provide information on last time the executable was executed. Does not prove if the executable was executed at all. |
| SIGN.MEDIA | HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ SessionManager\AppCompatCache | A value which, when present, means that the executable came from a USB or removable storage device. |
AmCache.hve
Tool: Amcache Parser v2.0.0.0
Contains information about recently executed executables on the device. The following is stored:
- Executable Full Path
- File Timestamps (Last modified and Created)
- SHA1 hash of the file
- PE Linker Timestamp
| Artifact | Location | Purpose |
|---|---|---|
| AmCache.hve | [Drive Letter]\Windows\AppCompat\ Programs\Amcache.hve | Location of AmCache.hve |