National Cyber Warfare Foundation (NCWF)

Digital Forensics: Registry Analysis for Beginners, Part 3 Evidence of Execution
0 user ratings		2026-03-17 14:36:24
milo
Red Team (CNA)
Explore how Windows records evidence of user activity and program execution inside the registry.

Welcome back, aspiring digital investigators! 





In this part of our registry forensics series, we will explore the traces left behind when programs are opened, files are viewed, and actions are taken on a computer. This is a really interesting part of Windows Registry. Even when attackers try their best to hide, small footprints often remain buried in the registry, and those traces can help us understand exactly what happened on a system. Evidence of execution is exciting to study because it connects computer activity with real behavior. Every opened document and launched application becomes a clue. When you learn where to look and how to interpret these artifacts, the registry can feel almost like a diary of the system’s past activity.





Let’s begin this journey through the registry and uncover what users, applications, and sometimes intruders leave behind.





Recent Activity





Several locations can reveal files the user interacted with and places they visited.





Known Files





Windows keeps track of recently opened files for every user, and this information is stored inside the NTUSER.DAT hive. As a reminder, this hive contains all user-specific settings and preferences, which also makes it a goldmine for understanding what a user interacted with. The path we are interested in is:





NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs




In Registry Explorer, this area is neatly organized so that the most recently opened files appear at the top. This makes it easy to see what the user was working with before the machine was collected. These lists can contain documents, images, executables, and more. For forensic analysts, they often provide context about what the user knew and what they accessed.





recent docs registry forensics








Office Recent Files





Just like Windows Explorer, Microsoft Office keeps its own list of recently opened documents. These entries also live in the NTUSER hive. Each version of Office uses a slightly different path, so the exact location depends on the version number:





NTUSER.DAT\Software\Microsoft\Office\VERSION




For example, Office 2013 uses:





NTUSER.DAT\Software\Microsoft\Office\15.0\Word




Newer Office versions tied to a user’s Microsoft account save this information under:





NTUSER.DAT\Software\Microsoft\Office\VERSION\UserMRU\LiveID_####\FileMRU




This area not only lists recently accessed files but often includes their full paths, which can help us reconstruct user behavior in great detail.





ShellBags





Whenever a user opens a folder, Windows stores information about icons, list mode, size, and more. These details help Windows remember the user’s preferred layout, but for investigators, ShellBags can reveal what folders were opened, even if those folders have since been deleted.





Because this data is tied to each user, the artifacts appear in both USRCLASS.DAT and NTUSER.DAT at locations such as:





USRCLASS.DAT\Local Settings\Software\Microsoft\Windows\Shell\BagsNTUSER.DAT\Software\Microsoft\Windows\Shell\BagMRU




Registry Explorer doesn’t display ShellBags very clearly, so investigators usually turn to Eric Zimmerman’s ShellBag Explorer, which parses the data into a much more readable format.





shellbags registry forensics




shellbags registry forensics








Open/Save Dialogs and Last Visited Locations





Whenever you open or save a file, Windows remembers the last folders you interacted with. These familiar dialog boxes leave behind registry traces that can tell us which folders a user visited most recently. This is helpful when reconstructing user workflows or identifying unusual activity.





These keys can be found here:





NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePIDlMRUNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU




last visited locations registry forensics








These entries often reveal where files were saved, what folders were browsed, and what the user was doing shortly before the investigation began.





Windows Explorer Address and Search Bars





Windows also logs paths typed into the address bar as well as search queries performed by the user. They reveal intent showing what the user was actively looking for.





You can find them here:





NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPathsNTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery




wordwheelquery registry forensics








The more a user interacts with their system, the richer this data becomes. Registry Explorer shows these entries clearly, making it easy to spot both normal and unusual activity.





Evidence of Execution





A few locations can be helpful for spotting evidence of execution, sometimes even with timestamps.





UserAssist





UserAssist is one of the most famous registry artifacts in Windows forensics. Windows uses it to track applications launched through the Windows Explorer interface. The entries store the name of the program, how many times it was run, and when it was last executed. Because the data is stored per-user, it’s located in:





NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count




userassist registry forensics








Programs launched from the command line do not appear here, which is something attackers sometimes rely on to reduce their footprint. Still, many legitimate and malicious activities pass through Explorer, so UserAssist often provides strong evidence of execution.





ShimCache





ShimCache, also known as the Application Compatibility Cache, helps Windows keep older applications functioning properly. However, from a forensic perspective, it becomes a historical log of executed programs. While it does not record execution time directly, it stores file names, sizes, and modification timestamps.





You can find it here:





SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache




shimcache registry forensics








Because the data is not easy to read manually, tools like AppCompatCacheParser are used to convert it into a readable CSV file. Here is how:





AppCompatCacheParser.exe --csv  -f




appcompatcacheparser registry forensics








AmCache





AmCache complements ShimCache and goes even further by storing installation times, execution details, file paths, and SHA-1 hashes. A valuable artifact for identifying exactly what programs ran on the system.





The hive is located at:





C:\Windows\AppCompat\Programs\Amcache.hve




Inside the hive, program entries appear at:





Amcache.hve\Root\File\{Volume GUID}\




amcache registry forensics








Registry Explorer displays AmCache in a clear and structured way, making it straightforward to review.





BAM/DAM





BAM (Background Activity Monitor) and DAM (Desktop Activity Moderator) track which applications have recently been run, especially on systems using modern power-saving features. These artifacts are helpful when trying to identify whether a suspicious program ran shortly before collection.





They can be found at:





SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}
SYSTEM\CurrentControlSet\Services\dam\UserSettings\{SID}




These entries include execution paths and last-run timestamps.





USB Devices





USB devices often play a major role in forensic investigations. Whether data was copied to an external drive, or a malicious USB device was connected, the registry usually keeps a record of it.





Device identifiers can be found here:





SYSTEM\CurrentControlSet\Enum\USBSTOR
SYSTEM\CurrentControlSet\Enum\USB




usb registry forensics








These entries include vendor IDs, product IDs, and timestamps of when the devices were connected. To find the friendly name of a drive, you can use:





SOFTWARE\Microsoft\Windows Portable Devices\Devices




By comparing this data with entries in USBSTOR, investigators can identify specific devices and understand how they were used.





Summary





In this part of the registry forensics series, we focused on how Windows keeps track of user activity and which programs actually ran on a system. We went through the artifacts inside NTUSER.DAT and USRCLASS.DAT that show things like recently opened files, Office documents, folder views, searches, and places a user browsed. All of these pieces help us rebuild everyday user behavior with a level of detail that’s often more accurate than people expect.





After that, we moved on to execution evidence such as UserAssist, ShimCache, AmCache, and BAM/DAM. Each of these gives us different information about program launches, installation paths, timestamps, and past executions. Many of these traces survive even when attackers delete files to try to hide what they did. We finished by looking at the registry keys that log USB devices, showing which devices were connected, when they were plugged in, and the unique identifiers tied to each one.





If you’re just getting started in forensics, we recommend our training where Master OTW walks you through the techniques to find evidence of criminal activity on a computer or network



Source: HackersArise
Source Link: https://hackers-arise.com/digital-forensics-registry-analysis-for-beginners-part-3-evidence-of-execution/

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Red Team (CNA)


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.