It provides a full path of the executable file run on the system and the last execution date/time. BAM stands for Background Activity Moderator, and DAM - Desktop Activity Moderator. BAM is a “daemon master” (controls the background services), whereas DAM moderates desktop services to save energy.
📂 %SystemRoot%\system32\drivers\dam.sys
🔑 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam
🔑 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam
⛔️ Windows 10 only! ⛔️ DAM is only for phones and tablets!
Background Activity Monitor. Organised by user SID. Windows apps’ names could be parsed better here. Gives last executed time ⏰, 64-bit little-endian (first 8 bytes of the value). It does prove program execution, and it ties it to the specific user. May use the same technique for core processes analysis and identifying rogue processes like in RAM.