This registry stores the first execution of a program on the system, including portable programs executed from an external storage. ProgramDataUpdater (a task associated with the Application Experience Service) uses the registry file Amcache.hve to store data during process creation, located in C:\Windows\AppCompat\Programs\Amcache.hve LastUpdateTime does not exist on Win7/8/10 systems.On Windows 7/8/10 contains at most 1,024 entries.You can use this key to identify systems that specific malware was executed on, using a specific tool like ShimCacheParser.py, by Mandiant ( ) Notes Last 1024 programs executed on the Windows system could be found in this key : HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache Windows Application Compatibility Database is used by Windows to identify possible application compatibility challenges with executables, and it tracks the executables’ file name, file size, last modified time. Program execution launched on a Win10 system is tracked in the RecentApps key: HKCU\Software\Microsoft\Windows\Current Version\Search\RecentAppsĮach GUID key points to a recent application:ĪppID = Name of Application LastAccessTime = Last execution time in UTC LaunchCount = Number of times executed ShimCache It contains a list of paths and executables, and the value of each of those is the time last executed in Filetime (64bit little Endian) format in UTC: On a Windows System, every GUI-based programs launched from the desktop are tracked in this registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\ In order to identify this activity, we can extract from the target system a set of artifacts useful to collect evidences of program execution. During a forensic analysis of a Windows system, it is often critical to understand when and how a particular process has been started.
0 Comments
Leave a Reply. |