Windows 11 shipped a forensic artifact that hasn't been added to most workflows yet.
It's a plain text file sitting in a directory t and it can tell you exactly what executable a user double-clicked, including the full path and a UTC timestamp.
What Is the PCA Launch Dictionary?
The Program Compatibility Assistant (PCA) service has existed since Vista. Its original purpose is to monitor launched applications, detect compatibility issues, and suggest fixes when old software has issues.
Starting with Windows 11 22H2, Microsoft added a persistent text-based tracking mechanism to support that service :
Artifact location:
C:\Windows\appcompat\pca\PcaAppLaunchDic.txtCompanion files in the same directory:
C:\Windows\appcompat\pca\PcaGeneralDb0.txt
C:\Windows\appcompat\pca\PcaGeneralDb1.txtThe PcaGeneralDb files alternate as active logs and contain additional detail about compatibility errors and application exits — useful corroborating data alongside the launch dictionary.
File Format
The file is encoded in UTF-16 LE (not UTF-8 — tools that assume ASCII or UTF-8 will fail silently or be unreadable).
Each line contains one entry: the full executable path, a pipe separator, and a UTC timestamp.
EXAMPLE:
C:\Users\Alice\Downloads\Quarterly_Review.pdf.exe|2026-03-15 09:42:11.000
C:\Temp\tool.exe|2026-03-15 09:43:05.000
D:\AUTORUN\payload.exe|2026-03-15 09:44:22.000That third entry is immediately significant — D:\ is a removable drive.
Scope and Limitations
It does not capture execution from:
- cmd.exe or PowerShell
- WMI or DCOM
- PsExec or remote execution
- Scheduled tasks or services
The artifact also persists after the source file is deleted.
Quick Triage — PowerShell
During live response, read the file directly (the -Encoding Unicode flag is critical for UTF-16 LE):
Get-Content -Path "C:\Windows\appcompat\pca\PcaAppLaunchDic.txt" -Encoding UnicodeFilter for high-interest paths:
Get-Content -Path "C:\Windows\appcompat\pca\PcaAppLaunchDic.txt" -Encoding Unicode |
Select-String -Pattern "Temp|Downloads|AppData|\\Users\\"Copy for offline analysis:
copy "C:\Windows\appcompat\pca\PcaAppLaunchDic.txt" %USERPROFILE%\Desktop\PcaAppLaunchDic.txtPython Parser for Pipeline Integration
import sys
def parse_pca(filepath):
results = []
with open(filepath, encoding="utf-16-le", errors="replace") as f:
for line in f:
line = line.strip()
if "|" in line:
path, timestamp = line.rsplit("|", 1)
results.append({"path": path.strip(), "timestamp": timestamp.strip()})
return results
if __name__ == "__main__":
entries = parse_pca(sys.argv[1])
for e in entries:
print(f"[{e['timestamp']}] {e['path']}")Run as: python3 parse_pca.py PcaAppLaunchDic.txt
Investigative Value — A Practical Scenario
A workstation is flagged in a phishing incident. The email attachment is gone. The downloaded file is gone. The user insists they only previewed a document.
You check PcaAppLaunchDic.txt and find:
C:\Users\Alice\Downloads\Quarterly_Review.pdf.exe|2026-03-15 09:42:11.000Where This Fits in the Execution Artifact Stack
The PCA launch dictionary doesn't replace the standard execution artifact set — it adds to it. Correlation is where the value compounds:
| Artifact | Location | Covers CLI execution? | Survives file deletion? |
|---|---|---|---|
| PcaAppLaunchDic.txt | C:\Windows\appcompat\pca\ | No (Explorer only) | Yes |
| Prefetch | C:\Windows\Prefetch\ | Yes | Yes |
| Amcache | C:\Windows\AppCompat\Programs\Amcache.hve | Yes | Yes (SHA-1 retained) |
| BAM | SYSTEM hive – bam\State\UserSettings | Yes (background) | Yes |
| UserAssist | NTUSER.DAT – UserAssist\Count | No (GUI only) | Yes |
Worth adding to your standard Windows 11 triage checklist.
No comments:
Post a Comment