Program Execution Traces in Registry - nurit-cyber/OperatingSystemForensics GitHub Wiki

Table of Contents

- UserAssist
- AppCompatCache
- AmCache

UserAssist

Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist[GUID]\Count

Entries are ROT13 encoded

Any application that has been run on the system has been recorded along with how many times that it has been executed and the last time that the application has been executed. The file path and the session ID is also available.

Since the entries are encoded, some decoders are UserAssist by Didier Stevens and UserAssistant by 4Discovery.

AppCompatCache

Application Compatibility Cache (Shim Cache)

Location: HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompat\Cache

An application may require DLLs that provide the application for certain capabilities (networking, process creation, etc.), but once the application discusses with the DLLs of what the application what it wants to do, the system will check to make sure that they can provide the requests. Specifically, it checks the Shimcache.

Forensic importance:

There is no application that is executed without the system checking the SHIMCACHE.

Such as, a malware immediately deletes itself after execution. Prefetch files can be deleted (easier to delete), but there is also an entry that will be in the shimcache (more complicated to delete because it is located in the Windows Registry).

AppCompatCache records everything that has been executed and also any location in File Manager opened that contains executables. This is preemptively recorded by Windows to the compatibility cache so that is can already test if the application is compatible.

Timestamps:
/- $SI Last Mod Time on file != last time the executable was executed

Windows 8+: HKLM\SYSTEM\CurrentControlSet\Control\SessionManager\AppCompat\Cache

Windows 7: Some user based entries and located in NtUser.dat

SIGN.MEDIA --> The application was executed from an external drive/media and not the OS.

AmCache

Windows Vista+: Registry file

Location: C:\Windows\aptcompat\Programs\Amcache.hve

Tips

Some applications can be hidden by adding Unicode to the Windows Registry entry, but most current day tools still discover these entries