| Artifact Name | Description | Windows Versions | Parsing Tool (Zimmerman Preferred) | Blog Link (HECFBlog Preferred) | Triggering Activity | Data Retention Duration |
Prefetch (.pf) | Files created to speed up application loading. Contain executable name, run count, last run timestamps (up to 8), file/directory resources loaded. Location: C:\Windows\Prefetch | XP, Vista, 7, 8, 10, 11 (Format versions vary) | PECmd.exe (by Eric Zimmerman) | Revisiting Prefetch File Analysis (HECFBlog) | Executing a program. Primarily tracks the first few launches and subsequent launches after significant system changes. | Limited number of files (e.g., 1024 on Win 10/11). Oldest files are deleted on a FIFO (First-In, First-Out) basis. |
| Amcache.hve | Registry hive tracking application installations and executions. Contains program path, SHA1 hash, first execution time (via associated File entries), install date. Location: C:\Windows\AppCompat\Programs\Amcache.hve | Windows 7 (limited), 8, 10, 11 | AmcacheParser.exe (by Eric Zimmerman) | Amcache.hve In-Depth Analysis (HECFBlog) | Program execution, application installation/uninstallation. Updated by Application Experience service. | Persists long-term, but specific entries can be updated or potentially overwritten over time. Not strictly time-limited. |
| Shimcache (AppCompatCache) | Registry cache storing executable metadata (file path, last modified time, file size) to check for compatibility shims. Indicates potential execution or file system interaction. Location: SYSTEM registry hive. | XP, Vista, 7, 8, 10, 11 | AppCompatCacheParser.exe (by Eric Zimmerman) or Registry Explorer/RECmd.exe | The Evolution of AppCompatCache (HECFBlog) | Program execution, Browse directories containing executables, service starts. Not definitive proof of execution. | Limited cache size (e.g., 1024 entries). Oldest entries are overwritten, typically cycled on reboot/shutdown. |
| UserAssist | Registry keys within NTUSER.DAT tracking GUI-based program launches. Records executable/shortcut name, run count, last run time (encoded). Location: NTUSER.DAT hive. | XP, Vista, 7, 8, 10, 11 | Registry Explorer / RECmd.exe (by Eric Zimmerman) | Decoding UserAssist Keys Manually (HECFBlog) | Launching applications via the GUI (Start Menu, shortcuts, Explorer). | Persists within the user profile. Entries are updated with subsequent launches. No automatic age-out. |
| RecentApps | Registry keys within NTUSER.DAT tracking recently launched applications (especially UWP/modern apps), often linked to Start Menu/Taskbar recent lists. Records AppID, executable path, last launch time, launch count. Location: NTUSER.DAT hive. | Windows 10, 11 | Registry Explorer / RECmd.exe (by Eric Zimmerman) | RecentApps Registry Key (HECFBlog) | Launching an application, particularly UWP apps or those integrated with modern UI elements. | Persists within the user profile. May have an internal limit on the number of tracked apps. |
| BAM/DAM (Background/Desktop Activity Moderator) | Service controlling background activity. Logs executed program paths and last execution timestamps per user. Location: SYSTEM registry hive. | Windows 10 (v1709+), 11 | Registry Explorer / RECmd.exe (by Eric Zimmerman) | BAM! What is it good for?! (HECFBlog) | Program execution. Records the timestamp of the last known execution monitored by the service. | Persists within the SYSTEM hive. Older entries may be overwritten based on system activity. Not strictly time-based. |
| SRUM (System Resource Usage Monitor) | Database tracking resource usage, including process execution times, network usage per app, bytes read/written. Provides context (user SID) and duration. Location: C:\Windows\System32\sru\SRUDB.dat | Windows 8, 8.1, 10, 11 | SrumECmd.exe (by Eric Zimmerman) | SRUM Dump(ing) and Pars(ing) (HECFBlog) | Program execution, network activity, system usage. Records data periodically (e.g., hourly). | Typically retains data for 30-60 days by default before older records are purged. |
| Windows Event Logs (Process Creation - Security ID 4688) | Records process creation events, including executable name, path, parent process, user context, Process ID. Command line logging requires separate policy. Location: C:\Windows\System32\winevt\Logs\Security.evtx | Vista, 7, 8, 10, 11 (Requires Audit Policy enabled) | EvtxECmd.exe (by Eric Zimmerman) | Event ID 4688 and 4689 Necessity (HECFBlog) | Creation of a new process. Requires 'Audit Process Creation' security policy to be enabled. | Dependent on log size configuration. Oldest events are overwritten when log is full unless configured otherwise (e.g., archive). |
| ActivitiesCache.db (Windows Timeline) | SQLite database storing user activities (app launches, files opened, web Browse) for the Timeline feature. Can sync across devices. Location: Users\<user>\AppData\Local\ConnectedDevicesPlatform\<profile_dir>\ActivitiesCache.db | Windows 10 (v1803+), 11 | WxTCmd.exe (by Eric Zimmerman) | Introducing WxTCmd (HECFBlog) | User interacts with applications, documents, or websites that integrate with Windows Timeline. | Default local retention often around 30 days, but synced cloud data may persist longer. Database entries persist until pruned/deleted. |
Jump Lists (.automaticDestinations-ms, .customDestinations-ms) | Files storing recently accessed files/locations per application for Taskbar/Start Menu jump lists. Indicates application usage and file interaction. Location: Users\<user>\AppData\Roaming\Microsoft\Windows\Recent\ | Windows 7, 8, 10, 11 | JLECmd.exe (by Eric Zimmerman) | Jump Lists - The Other White Meat! (Journey Into Incident Response) (Classic post, not HECFBlog) | User interacting with an application, opening files, or accessing locations through it. | Persists within the user profile. Number of entries/files managed by Windows/apps. |
Shortcut Files (.lnk) | Files created by users or applications linking to other files/programs. Metadata can show evidence of the target file/program existing and potentially being accessed via the link. Location: Various (Desktop, Recent Items, etc.) | All Windows versions | LECmd.exe (by Eric Zimmerman) | LNK Files - What They Are Good For... (HECFBlog) | Creation of a shortcut; accessing the shortcut (updates timestamps). Access indicates intent or actual execution of target. | Persists until deleted. Timestamps update upon access. |
