One of the most consistent questions I get is: "Where do I look to prove a program ran on a system?" This is the right question. Execution artifacts are the backbone of any Windows investigation they tell you what ran, when, how many times, and sometimes from where. Below is a practitioner's reference covering the key artifact locations for Windows:
Prefetch
Path: C:\Windows\Prefetch\*.pf
Prefetch files are created by the Windows Superfetch/prefetch service to speed up application launches. Each .pf file records the executable name, run count, last eight run times (Windows 8+), and file system resources referenced during load. This is gold for proving execution — even if the binary has been deleted, the prefetch file may still exist.
- Enabled by default on workstations; disabled by default on Windows Server — check
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnablePrefetcher - Files are named
EXECUTABLENAME-HASH.pfwhere the hash is computed from the full launch path - Tool: PECmd (Eric Zimmerman) — parses single files or entire directories and outputs to CSV/JSON for timeline ingestion
Teaching point for students: A deleted executable with a remaining prefetch file is a classic indicator of anti-forensic activity. The prefetch hash also lets you distinguish between two executables with the same name launched from different paths.
Shimcache (AppCompatCache)
Registry key: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
Hive file: C:\Windows\System32\config\SYSTEM
Shimcache records entries for executables that have interacted with the Application Compatibility database. It tracks the file path, last modified timestamp, and (on older systems) a flag indicating whether the file was actually executed. Important caveat: on Windows 10/11, the executed flag is no longer reliably present — presence in shimcache indicates the file was visible to the OS, not necessarily run.
- Entries are written to the registry at shutdown, not in real time — data in memory may not be captured from a live system unless you dump the hive
- Tool: AppCompatCacheParser (Eric Zimmerman) — exports to CSV; correlate timestamps with your master timeline
Amcache
Path: C:\Windows\AppCompat\Programs\Amcache.hve
Amcache is a registry hive (not a flat registry key) that stores metadata about installed applications and recently executed programs. Unlike Shimcache, Amcache records SHA-1 hashes of executables — invaluable for malware identification and hash-based threat hunting.
- Key subkeys:
Root\InventoryApplication,Root\InventoryApplicationFile,Root\Programs - Records: full file path, SHA-1, compile time, PE metadata, and first execution timestamp
- Tool: AmcacheParser (Eric Zimmerman)
BAM / DAM (Background Activity Moderator)
Registry key: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}
Hive file: C:\Windows\System32\config\SYSTEM
BAM is a Windows 10 (build 1709+) kernel driver that throttles background application activity. As a forensic side effect, it records the last execution time of background processes per user SID — one of the few artifacts that gives you user-attributed execution timestamps in a single registry location.
- Values are stored as binary data; the timestamp is a 64-bit FILETIME value at offset 0
- Particularly useful for lateral movement investigations — remote execution artifacts (psexec, scheduled tasks) often appear here
LNK Files (Shell Link)
Path: C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\*.lnk
Windows automatically creates LNK shortcut files when a user opens a file or folder. Each LNK records the target file's path, MAC timestamps, file size, volume serial number, and even the target system's NetBIOS name and MAC address if opened over a network share.
- Network-originated LNK files can reveal attacker infrastructure (UNC paths, internal hostnames)
- Tool: LECmd (Eric Zimmerman)
Jump Lists
Path (Automatic): C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\*.automaticDestinations-ms
Path (Custom): C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\*.customDestinations-ms
Jump lists are OLE structured storage files that track recently and frequently accessed files per application (identified by AppID). They contain embedded LNK entries — giving you all the same metadata described above, but organized by the application that opened them.
- AppID mapping resources are publicly available to correlate AppIDs to application names
- Tool: JLECmd (Eric Zimmerman)
UserAssist
Registry key: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
Hive file: C:\Users\<username>\NTUSER.DAT
UserAssist records GUI-launched applications (those opened through Explorer, desktop shortcuts, or the Start Menu). Values are ROT-13 encoded — a trivial obfuscation but one that trips up manual review. Data includes run count and last execution timestamp.
- Does not capture command-line execution — pair with Prefetch and BAM to get full coverage
- Tool: RegRipper plugin
userassist
Quick Reference Table
| Artifact | Location | Key Data Points | Tool |
|---|---|---|---|
| Prefetch | C:\Windows\Prefetch\ | Run count, last 8 timestamps, referenced files | PECmd |
| Shimcache | SYSTEM hive – AppCompatCache | File path, last modified time | AppCompatCacheParser |
| Amcache | C:\Windows\AppCompat\Programs\Amcache.hve | SHA-1, first exec time, PE metadata | AmcacheParser |
| BAM | SYSTEM hive – bam\State\UserSettings | Last execution time per SID | Manual / RegRipper |
| LNK Files | %APPDATA%\Microsoft\Windows\Recent\ | Target path, MAC times, volume serial, MAC addr | LECmd |
| Jump Lists | %APPDATA%\...\AutomaticDestinations\ | Per-app recent files, embedded LNK data | JLECmd |
| UserAssist | NTUSER.DAT – UserAssist\Count | Run count, last exec (GUI only) | RegRipper |
Workflow Recommendation
For triaging a Windows endpoint I recommend KAPE to pull and parse all of the above.
The outputs drop into CSV
Drop any questions in the comments — happy to dig into specific scenarios with any of these artifacts.
No comments:
Post a Comment