Execution Artifacts

Execution Artifacts

 

Prefetch

Description: The prefetch is created the first time an executable is run from a file or console. They don’t exist beforehand. So the program will start faster the second time.

Important Information:

  • DLLHOST.EXE-5E46FA0D // DLLHOST.EXE-5E46123: A different hash at the end of the prefetch filename could mean that the program was run from a different source or with different parameters. If you see svchost.exe with different hash values to svchost.exe, then svchost.exe was most likely run with the parameter -k FUNCTIONAME. For example, “-k netsvcs” and “-k LocalService NetworkRestricted”.
  • The startup time of a program before the prefetch file is created can be up to about 8 seconds because the prefetch has to start. Keep that in mind.
  • Prefetch files are not required, so they can be easily deleted without any system problems.

Path: C:\Windows\Prefetch\*.pf

Analysis:

  • Created timestamp: Indicates the first start. (Local Time)
  • Modified timestamp // Last run: Indicates the last start. (Local Time)
  • Used DLLs with path.

Software: PeCmd.exe (EZ)

Background Activity Moderator (BAM)

Description: The “Background Activity Moderator” (BAM) is a feature in Windows that is part of the operating system’s power management system. It was designed to improve energy efficiency and extend battery life, particularly on mobile devices such as laptops and tablets.

Important Information:

Registry: HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\

Analysis:

  • Timestamp: Indicates the last background start for programs. (UTC)

Software: RegRipper (Plugin: bam)

Application Compatibility Cache (“AppCompatCache”) / Shimcache

Description: The Shimcache or AppCompat cache checks that a program is still compatible with the system before it is launched, updated, or renamed.

Important Information:

  • Is only written when the system is shut down.

Registry: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

Analysis:

  • Modified timestamp: Indicates the last interaction with the program. (Start/Update or Rename) (UTC)

Software: RegRipper (Plugin: shimcache, appcompatcache), AppCompatCache.exe (EZ)

AmCache

No longer an execution artifact in Windows 11

Description: The amcache contains information about installed executables, installers, drivers, and shortcuts.

Important Information:

  • The information is written via TaskScheduler -> Microsoft -> Windows -> Application Experience -> Microsoft Compatibility Appraiser.
  • The sha1 hash value only contains the first 30 megabytes of an executable, not the full data.
  • The file key last written time is not the execution time.

Path: C:\Windows\AppCompat\Programs\Amcache.hve

Analysis:

  • Full path to the executable file.
  • Software version.
  • SHA1 hash value.

Software: RegRipper (Plugin: amcache), Amcacheparser.exe (EZ)

Shortcut (LNK) Files

Description: Shortcuts are created automatically or by a user. The file is created when a user interacts with a file.

Important Information:

  • In Windows 10 and higher, shortcuts could be created automatically without user interaction.
  • An .lnk file still exists after the original file has been deleted.

Path:

  • C:\Users\\AppData\Roaming\Microsoft\Windows\Recent*
  • C:\Users\\AppData\Roaming\Microsoft\Office\Recent*

Registry:

  • HKU\%USER%\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\RecentApps\
  • HKU\%USER%\SOFTWARE\Microsoft\Windows\CurrentVersion\Search\JumplistData\ (Windows 11)

Analysis:

  • Timestamps of the source .lnk file. (created, modified, accessed) (UTC)
    • The modified timestamp is updated after a file is opened. There is no need to manipulate the contents of the file.
    • The access timestamp is updated after interaction with the file.
  • Timestamps of the original file. (created, modified, accessed) (UTC)
    • The access timestamp is updated after interaction with the file.

Software: Exiftool (Show detailed information about the .lnk file and the original file), LEcmd.exe (EZ)

1. https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-shllink/16cb4ca1-9339-4d0c-a68d-bf1d6cc0f943?redirectedfrom=MSDN

Program Compatibility Assistant (PCA)

Description: The Program Compatibility Assistant (PCA) is a feature in Windows that allows end users to run desktop apps that were developed for earlier versions of Windows.

Important Information:

  • N/A

Path: C:\Windows\appcompat\pca\PcaAppLaunchDic.txt

Analysis:

  • Full path of an executable file.
  • Last execution timestamp. (UTC)

Software: Notepad++

MUICache

Description: The primary purpose of the MUI Cache is to enhance the user experience by providing a list of recently used applications with user-friendly names. This makes it easier for users to recognize and relaunch applications.

Important Information:

  • There are no timestamps for execution. But an entry means the file has been executed.

Path:

  • C:\Users\\AppData\Local\Microsoft\Windows\UsrClass.dat
  • C:\Users\\AppData\NTUser.dat

Registry: HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\

Analysis:

  • Executable name, user-friendly name

Software: RegRipper (Plugin: muicache), Registry Explorer

SRUM

Description: The primary purpose of srum.dat is to track and manage resource utilization on a per-application basis. This includes tracking CPU, network, and energy usage among other metrics. It helps the operating system provide insights and optimizations for power efficiency and performance.

Important information:

  • N/A

Path: C:\Windows\System32\sru\SRUDB.dat

Analysis:

  • End Time: When an executable was last closed.
  • How long an application has been used by a user.
  • How much data has been transferred for an application.

Software: SrumCmd.exe (EZ)