±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 1 Overall: 35119
New Yesterday: 3 Visitors: 204

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Forensics Windows Registry - program launch history

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

Forensics Windows Registry - program launch history

Post Posted: Sat Jan 12, 2019 6:52 am

From version WinVer Windows Version 1803, registry hives do not exist
Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Search\RecentApps
Run latest programs
Each GUID key is a previously launched application.
AppID - the name of the running application
LastAccessTime - start time in UTC
LaunchCount - the number of launch programs


Code:
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Studied and searched where they could move the data in the registry, but never found.
Can you tell where to look for them now?  

Sunnych
Newbie
 
 
  

Forensics Windows Registry - program launch history???

Post Posted: Tue Jan 15, 2019 2:10 am

does not exist
Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Search\RecentApps
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

So someone studied and conducted research that instead of the missing registry hives appeared to define the latest running applications in the registry???  

Sunnych
Newbie
 
 
  

Re: Forensics Windows Registry - program launch history???

Post Posted: Tue Jan 15, 2019 5:20 am

- Sunnych
does not exist
Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Search\RecentApps
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

So someone studied and conducted research that instead of the missing registry hives appeared to define the latest running applications in the registry???


First off, your terminology is incorrect. You're not referring to hives..."AppCompatCache" is a Registry value and is located in the HKLM/System hive, or the C:\Windows\system32\config\System file.

As such, the reason that one doesn't exist in your instance is because...not to put too fine a point on it...you're not looking in the right place.

As to the RecentApps key (not a hive, a key), one has to consider how the key is populated. Also, consider the context surrounding it...are there other keys and values in the user's hive that indicate extensive usage of the system, such as UserAssist and RecentDocs? Very often, when the user profile is relatively new on the system or simply has not been used extensively, the user's hive isn't populated with indications of extensive activity.

Another possibility...again, a possibility, as there is no context here...is defense evasion. If you put together a timeline of system activity, are there indications that someone opened the Registry Editor? There's a key in the user's hive that points to the last key that was open when RegEdit was shut down, so you could check there. Look for RegEdit under the Applets key in the user's hive.

Thank you for providing information about the Windows version, but there simply isn't enough context to provide much more in the way of a response. Sorry.  

keydet89
Senior Member
 
 
  

Re: Forensics Windows Registry - program launch history

Post Posted: Tue Jan 15, 2019 6:29 am

I researched the active use of Windows system versions up to 1803 they have this data, but since version 1803 with the active use of windows for more than a month, these keys do not appear in the registry. Also on the poster computer and the virtual environment I ran a certain file, after I investigated the registry and also these registry keys are missing, but in windows versions up to 1803 all these artifacts exist and are present.  

Sunnych
Newbie
 
 
  

Re: Forensics Windows Registry - program launch history

Post Posted: Tue Jan 15, 2019 6:57 am

Did you check the proper hive/path for the AppCompatCache value?  

keydet89
Senior Member
 
 
  

Re: Forensics Windows Registry - program launch history

Post Posted: Tue Jan 15, 2019 7:31 am

Yes, I was exactly wrong with that Sad
Code:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

namely, on this, I concentrated all my attention and this is not
Code:
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Search\RecentApps
 

Sunnych
Newbie
 
 
  

Re: Forensics Windows Registry - program launch history

Post Posted: Sat Jan 19, 2019 5:28 am

Okay, but there are other sources of "program launch history" that are available...  

keydet89
Senior Member
 
 

Page 1 of 1