From version WinVer Windows Version 1803, registry hives do not existHKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Search\RecentAppsRun latest programs
Each GUID key is a previously launched application.
AppID - the name of the running application
LastAccessTime - start time in UTC
LaunchCount - the number of launch programs
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Studied and searched where they could move the data in the registry, but never found.
Can you tell where to look for them now?
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Search\RecentApps
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
So someone studied and conducted research that instead of the missing registry hives appeared to define the latest running applications in the registry???
does not exist
HKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Search\RecentApps
HKEY_CURRENT_USER\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
So someone studied and conducted research that instead of the missing registry hives appeared to define the latest running applications in the registry???
First off, your terminology is incorrect. You're not referring to hives…"AppCompatCache" is a Registry value and is located in the HKLM/System hive, or the C\Windows\system32\config\System file.
As such, the reason that one doesn't exist in your instance is because…not to put too fine a point on it…you're not looking in the right place.
As to the RecentApps key (not a hive, a key), one has to consider how the key is populated. Also, consider the context surrounding it…are there other keys and values in the user's hive that indicate extensive usage of the system, such as UserAssist and RecentDocs? Very often, when the user profile is relatively new on the system or simply has not been used extensively, the user's hive isn't populated with indications of extensive activity.
Another possibility…again, a possibility, as there is no context here…is defense evasion. If you put together a timeline of system activity, are there indications that someone opened the Registry Editor? There's a key in the user's hive that points to the last key that was open when RegEdit was shut down, so you could check there. Look for RegEdit under the Applets key in the user's hive.
Thank you for providing information about the Windows version, but there simply isn't enough context to provide much more in the way of a response. Sorry.
I researched the active use of Windows system versions up to 1803 they have this data, but since version 1803 with the active use of windows for more than a month, these keys do not appear in the registry. Also on the poster computer and the virtual environment I ran a certain file, after I investigated the registry and also these registry keys are missing, but in windows versions up to 1803 all these artifacts exist and are present.
Did you check the proper hive/path for the AppCompatCache value?
Yes, I was exactly wrong with that -(HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
namely, on this, I concentrated all my attention and this is notHKEY_CURRENT_USER\Software\Microsoft\Windows\Current Version\Search\RecentApps
Okay, but there are other sources of "program launch history" that are available…
