🏺 Windows Registry

πŸ–± Devices Attached

Are we looking for USB storage media activity or all USB devices? Like, cameras πŸ“Έ? Headphones 🎧?

Network History

πŸ”‘ SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures\Unmanaged πŸ”‘ SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Signatures\Managed πŸ”‘ SOFTWARE\Microsoft\WindowsNT\CurrentVersion\NetworkList\Nla\Cache Can be used to get the following data:

Search History

ACMRU β€œSearch History” on the Windows system (via Search Assistant) πŸ”‘ NTUSER.DAT\Software\Microsoft\SearchAssistant\ACMru\XXXX. Possible values of XXXX:


This is about … .

Installed Apps

Key πŸ”‘: Microsoft\Windows\CurrentVersion\Uninstall. There can be some data for programs that do not exist on the system anymore.

Jumplist Data

The Windows 7-10 taskbar (Jump List) is engineered to allow users to β€œjump” or access items they have frequently or recently used quickly and easily. This functionality not only includes recent media files; it must also include recent tasks. The data stored in the AutomaticDestinations folder will each have a unique file prepended with the AppID of the associated application.


RecentDocs πŸ”‘ NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs This key will track the order of the last 150 files or folders opened, keeping track of the temporal order in which each file/folder was opened.


Key πŸ”‘: Microsoft\Windows\CurrentVersion\Uninstall References Expand… Something here


And yet another place to check for program execution. It’s like a forensic treasure of program execution. You can see installed applications, drivers and unassociated progs. For each entry, you can see loads of metadata. You can even see the SHA1 hashes! How great is that? However, be careful; installed doesn’t mean executed!


It provides a full path of the executable file run on the system and the last execution date/time. BAM stands for Background Activity Moderator, and DAM - Desktop Activity Moderator. BAM is a “daemon master” (controls the background services), whereas DAM moderates desktop services to save energy.


To open a file, one needs to perform a delightful jaunt to a directory where those files reside. Now picture this: imagine if we could keep a journal of all the full paths of the folders visited; wouldn’t that be splendid? It so happens that this nice functionality does exist on Windows machines and ShellBags they are called. Since these folders can be located on a remote machine, a USB drive or any other external media, this artefact can be used to make assumptions about remote connections and devices attached.

ShimCache aka AppCompatCache

How often has the following happened to you? You want to run a program, but it’s not designed to run on this version of OS. Windows has a mechanism to run older programs on newer systems. Even when these “compatibility” adjustments are not required, Windows still logs the information for all the programs run.

User Assist

GUI-based programs launched from the desktop are tracked in the launcher on a Windows system.

βš™οΈ Windows Registry

Hives: C:\Documents and Settings |*\ntuser.dat C:\Users\ |*\ ntuser. dat C: \Users\ \*\ntuser.dat. LOG|* C: \ Users\ |*\ AppData\Local\Microsoft\Windows| UsrClass.