Hello Reader,
One of things I've been waiting for is an AI model to have enough of a context window (space to hold an entire thought) to list out forensic artifacts by type so that it could assist in create DFIR training materials and cheat sheets. Google Gemini has always claimed one of the largest context windows at 2.5 million so I thought I'd put it to the test and see how many Windows 11 artifacts of execution it would list.
Here is the result:
Okay, here is a table outlining Windows 11 forensic artifacts related to program execution, based on your requirements.
Important Notes:
- Retention: Retention periods can be highly variable. Defaults are often overwritten based on usage (e.g., Prefetch, Shimcache) or log size/policy (Event Logs). Specific configurations can significantly alter these durations.
- Tool Links: Links point to the general tool pages or repositories. You'll typically download the suite and use the specific executable mentioned.
- Activation: Some artifacts, particularly specific Event Log IDs, require specific audit policies to be enabled before the activity occurs to be logged.
| Artifact Name | Description | Windows Versions | Parsing Tool (Zimmerman Preferred) | Blog Link (HECFBlog Preferred) | Triggering Activity | Data Retention Duration |
Prefetch (.pf) | Files created to speed up application loading. Contain executable name, run count, last run timestamps (up to 8), file/directory resources loaded. Location: C:\Windows\Prefetch | XP, Vista, 7, 8, 10, 11 (Format versions vary) | PECmd.exe (by Eric Zimmerman) | Revisiting Prefetch File Analysis (HECFBlog) | Executing a program. Primarily tracks the first few launches and subsequent launches after significant system changes. | Limited number of files (e.g., 1024 on Win 10/11). Oldest files are deleted on a FIFO (First-In, First-Out) basis. |
| Amcache.hve | Registry hive tracking application installations and executions. Contains program path, SHA1 hash, first execution time (via associated File entries), install date. Location: C:\Windows\AppCompat\Programs\Amcache.hve | Windows 7 (limited), 8, 10, 11 | AmcacheParser.exe (by Eric Zimmerman) | Amcache.hve In-Depth Analysis (HECFBlog) | Program execution, application installation/uninstallation. Updated by Application Experience service. | Persists long-term, but specific entries can be updated or potentially overwritten over time. Not strictly time-limited. |
| Shimcache (AppCompatCache) | Registry cache storing executable metadata (file path, last modified time, file size) to check for compatibility shims. Indicates potential execution or file system interaction. Location: SYSTEM registry hive. | XP, Vista, 7, 8, 10, 11 | AppCompatCacheParser.exe (by Eric Zimmerman) or Registry Explorer/RECmd.exe | The Evolution of AppCompatCache (HECFBlog) | Program execution, Browse directories containing executables, service starts. Not definitive proof of execution. | Limited cache size (e.g., 1024 entries). Oldest entries are overwritten, typically cycled on reboot/shutdown. |
| UserAssist | Registry keys within NTUSER.DAT tracking GUI-based program launches. Records executable/shortcut name, run count, last run time (encoded). Location: NTUSER.DAT hive. | XP, Vista, 7, 8, 10, 11 | Registry Explorer / RECmd.exe (by Eric Zimmerman) | Decoding UserAssist Keys Manually (HECFBlog) | Launching applications via the GUI (Start Menu, shortcuts, Explorer). | Persists within the user profile. Entries are updated with subsequent launches. No automatic age-out. |
| RecentApps | Registry keys within NTUSER.DAT tracking recently launched applications (especially UWP/modern apps), often linked to Start Menu/Taskbar recent lists. Records AppID, executable path, last launch time, launch count. Location: NTUSER.DAT hive. | Windows 10, 11 | Registry Explorer / RECmd.exe (by Eric Zimmerman) | RecentApps Registry Key (HECFBlog) | Launching an application, particularly UWP apps or those integrated with modern UI elements. | Persists within the user profile. May have an internal limit on the number of tracked apps. |
| BAM/DAM (Background/Desktop Activity Moderator) | Service controlling background activity. Logs executed program paths and last execution timestamps per user. Location: SYSTEM registry hive. | Windows 10 (v1709+), 11 | Registry Explorer / RECmd.exe (by Eric Zimmerman) | BAM! What is it good for?! (HECFBlog) | Program execution. Records the timestamp of the last known execution monitored by the service. | Persists within the SYSTEM hive. Older entries may be overwritten based on system activity. Not strictly time-based. |
| SRUM (System Resource Usage Monitor) | Database tracking resource usage, including process execution times, network usage per app, bytes read/written. Provides context (user SID) and duration. Location: C:\Windows\System32\sru\SRUDB.dat | Windows 8, 8.1, 10, 11 | SrumECmd.exe (by Eric Zimmerman) | SRUM Dump(ing) and Pars(ing) (HECFBlog) | Program execution, network activity, system usage. Records data periodically (e.g., hourly). | Typically retains data for 30-60 days by default before older records are purged. |
| Windows Event Logs (Process Creation - Security ID 4688) | Records process creation events, including executable name, path, parent process, user context, Process ID. Command line logging requires separate policy. Location: C:\Windows\System32\winevt\Logs\Security.evtx | Vista, 7, 8, 10, 11 (Requires Audit Policy enabled) | EvtxECmd.exe (by Eric Zimmerman) | Event ID 4688 and 4689 Necessity (HECFBlog) | Creation of a new process. Requires 'Audit Process Creation' security policy to be enabled. | Dependent on log size configuration. Oldest events are overwritten when log is full unless configured otherwise (e.g., archive). |
| ActivitiesCache.db (Windows Timeline) | SQLite database storing user activities (app launches, files opened, web Browse) for the Timeline feature. Can sync across devices. Location: Users\<user>\AppData\Local\ConnectedDevicesPlatform\<profile_dir>\ActivitiesCache.db | Windows 10 (v1803+), 11 | WxTCmd.exe (by Eric Zimmerman) | Introducing WxTCmd (HECFBlog) | User interacts with applications, documents, or websites that integrate with Windows Timeline. | Default local retention often around 30 days, but synced cloud data may persist longer. Database entries persist until pruned/deleted. |
Jump Lists (.automaticDestinations-ms, .customDestinations-ms) | Files storing recently accessed files/locations per application for Taskbar/Start Menu jump lists. Indicates application usage and file interaction. Location: Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\ | Windows 7, 8, 10, 11 | JLECmd.exe (by Eric Zimmerman) | Jump Lists - The Other White Meat! (Journey Into Incident Response) (Classic post, not HECFBlog) | User interacting with an application, opening files, or accessing locations through it. | Persists within the user profile. Number of entries/files managed by Windows/apps. |
Shortcut Files (.lnk) | Files created by users or applications linking to other files/programs. Metadata can show evidence of the target file/program existing and potentially being accessed via the link. Location: Various (Desktop, Recent Items, etc.) | All Windows versions | LECmd.exe (by Eric Zimmerman) | LNK Files - What They Are Good For... (HECFBlog) | Creation of a shortcut; accessing the shortcut (updates timestamps). Access indicates intent or actual execution of target. | Persists until deleted. Timestamps update upon access. |
I think it did a pretty good job! Here is a link to a google sheets version :
https://docs.google.com/spreadsheets/d/1u9cUwzHlpOKkE4vBfziQQT24bCHeDLJ8nBeXjGevqSk/edit?usp=sharing
