# Table of Contents - [Welcome | Windows Forensic Handbook](#welcome-windows-forensic-handbook) - [Registry Artifacts | Windows Forensic Handbook](#registry-artifacts-windows-forensic-handbook) - [Image File Execution Options Registry Keys | Windows Forensic Handbook](#image-file-execution-options-registry-keys-windows-forensic-handbook) - [Background Activity Montitor | Windows Forensic Handbook](#background-activity-montitor-windows-forensic-handbook) - [System Resource Usage Monitor (SRUM) | Windows Forensic Handbook](#system-resource-usage-monitor-srum-windows-forensic-handbook) - [Amcache.hve | Windows Forensic Handbook](#amcache-hve-windows-forensic-handbook) - [Filesystem Artifacts | Windows Forensic Handbook](#filesystem-artifacts-windows-forensic-handbook) - [ComputerName Registry Key | Windows Forensic Handbook](#computername-registry-key-windows-forensic-handbook) - [NetworkCards Registry Key | Windows Forensic Handbook](#networkcards-registry-key-windows-forensic-handbook) - [Select Registry Key | Windows Forensic Handbook](#select-registry-key-windows-forensic-handbook) - [CurrentVersion Registry Key | Windows Forensic Handbook](#currentversion-registry-key-windows-forensic-handbook) - [Services Registry Keys | Windows Forensic Handbook](#services-registry-keys-windows-forensic-handbook) - [Run/RunOnce Registry Keys | Windows Forensic Handbook](#run-runonce-registry-keys-windows-forensic-handbook) - [Interfaces Registry Key | Windows Forensic Handbook](#interfaces-registry-key-windows-forensic-handbook) - [Tracing Registry Keys | Windows Forensic Handbook](#tracing-registry-keys-windows-forensic-handbook) - [TimeZoneInformation Registry Key | Windows Forensic Handbook](#timezoneinformation-registry-key-windows-forensic-handbook) - [Task Scheduler Files | Windows Forensic Handbook](#task-scheduler-files-windows-forensic-handbook) - [Event Log Artifacts | Windows Forensic Handbook](#event-log-artifacts-windows-forensic-handbook) - [AutomaticDestinations Jumplists | Windows Forensic Handbook](#automaticdestinations-jumplists-windows-forensic-handbook) - [TerminalServices-RDPClient | Windows Forensic Handbook](#terminalservices-rdpclient-windows-forensic-handbook) - [System | Windows Forensic Handbook](#system-windows-forensic-handbook) - [Security | Windows Forensic Handbook](#security-windows-forensic-handbook) - [File Activity | Windows Forensic Handbook](#file-activity-windows-forensic-handbook) - [USN Journal | Windows Forensic Handbook](#usn-journal-windows-forensic-handbook) - [Microsoft Windows Shell Core | Windows Forensic Handbook](#microsoft-windows-shell-core-windows-forensic-handbook) - [TerminalServices-RemoteConnectionManager | Windows Forensic Handbook](#terminalservices-remoteconnectionmanager-windows-forensic-handbook) - [Execution Timestamp | Windows Forensic Handbook](#execution-timestamp-windows-forensic-handbook) - [File Creation | Windows Forensic Handbook](#file-creation-windows-forensic-handbook) - [TerminalServices-LocalSessionManager | Windows Forensic Handbook](#terminalservices-localsessionmanager-windows-forensic-handbook) - [File Origin | Windows Forensic Handbook](#file-origin-windows-forensic-handbook) - [Microsoft-Windows-PowerShell | Windows Forensic Handbook](#microsoft-windows-powershell-windows-forensic-handbook) - [File Deletion | Windows Forensic Handbook](#file-deletion-windows-forensic-handbook) - [Recycle Bin $I/$R Files | Windows Forensic Handbook](#recycle-bin-i-r-files-windows-forensic-handbook) - [Windows Error Reporting Files (.WER) | Windows Forensic Handbook](#windows-error-reporting-files-wer-windows-forensic-handbook) - [Last Modified | Windows Forensic Handbook](#last-modified-windows-forensic-handbook) - [File Hash | Windows Forensic Handbook](#file-hash-windows-forensic-handbook) - [Browser Activity | Windows Forensic Handbook](#browser-activity-windows-forensic-handbook) - [Execution | Windows Forensic Handbook](#execution-windows-forensic-handbook) - [Account Activity | Windows Forensic Handbook](#account-activity-windows-forensic-handbook) - [File Size | Windows Forensic Handbook](#file-size-windows-forensic-handbook) - [Account Creation Time | Windows Forensic Handbook](#account-creation-time-windows-forensic-handbook) - [Command Line Options | Windows Forensic Handbook](#command-line-options-windows-forensic-handbook) - [Last Login | Windows Forensic Handbook](#last-login-windows-forensic-handbook) - [Group Membership | Windows Forensic Handbook](#group-membership-windows-forensic-handbook) - [History | Windows Forensic Handbook](#history-windows-forensic-handbook) - [First Executed | Windows Forensic Handbook](#first-executed-windows-forensic-handbook) - [Microsoft Windows Windows Firewall With Advanced Security | Windows Forensic Handbook](#microsoft-windows-windows-firewall-with-advanced-security-windows-forensic-handbook) - [Relative Identifier | Windows Forensic Handbook](#relative-identifier-windows-forensic-handbook) - [EventID 2071: Firewall Rule Added | Windows Forensic Handbook](#eventid-2071-firewall-rule-added-windows-forensic-handbook) - [Prefetch | Windows Forensic Handbook](#prefetch-windows-forensic-handbook) - [Login History | Windows Forensic Handbook](#login-history-windows-forensic-handbook) - [Stored Passwords/Secrets | Windows Forensic Handbook](#stored-passwords-secrets-windows-forensic-handbook) - [EventID 2073: Firewall Rule Modified | Windows Forensic Handbook](#eventid-2073-firewall-rule-modified-windows-forensic-handbook) - [Wireless Activity | Windows Forensic Handbook](#wireless-activity-windows-forensic-handbook) - [EventID 2052: Firewall Rule Deleted | Windows Forensic Handbook](#eventid-2052-firewall-rule-deleted-windows-forensic-handbook) - [Last Executed | Windows Forensic Handbook](#last-executed-windows-forensic-handbook) - [Logon ID | Windows Forensic Handbook](#logon-id-windows-forensic-handbook) - [Bookmarks | Windows Forensic Handbook](#bookmarks-windows-forensic-handbook) - [Destination Identification | Windows Forensic Handbook](#destination-identification-windows-forensic-handbook) - [Network Activity | Windows Forensic Handbook](#network-activity-windows-forensic-handbook) - [Event ID 7045: Service Installed | Windows Forensic Handbook](#event-id-7045-service-installed-windows-forensic-handbook) - [Transmit Volume | Windows Forensic Handbook](#transmit-volume-windows-forensic-handbook) - [EventID 1024: RDP ClientActiveX is trying to connect to the server | Windows Forensic Handbook](#eventid-1024-rdp-clientactivex-is-trying-to-connect-to-the-server-windows-forensic-handbook) - [System Enumeration | Windows Forensic Handbook](#system-enumeration-windows-forensic-handbook) - [Task Scheduler Operational Log | Windows Forensic Handbook](#task-scheduler-operational-log-windows-forensic-handbook) - [Parent and Child Information | Windows Forensic Handbook](#parent-and-child-information-windows-forensic-handbook) - [EventID 24: Session has been disconnected | Windows Forensic Handbook](#eventid-24-session-has-been-disconnected-windows-forensic-handbook) - [Evidence of Network Activity | Windows Forensic Handbook](#evidence-of-network-activity-windows-forensic-handbook) - [EventID 4104: PowerShell Script Block Logging | Windows Forensic Handbook](#eventid-4104-powershell-script-block-logging-windows-forensic-handbook) - [EventID 1149: User Authentication Succeeded | Windows Forensic Handbook](#eventid-1149-user-authentication-succeeded-windows-forensic-handbook) - [EventID 9707: Command Execution Started | Windows Forensic Handbook](#eventid-9707-command-execution-started-windows-forensic-handbook) - [Execution Account | Windows Forensic Handbook](#execution-account-windows-forensic-handbook) - [EventID 21: Session logon succeeded | Windows Forensic Handbook](#eventid-21-session-logon-succeeded-windows-forensic-handbook) - [Source Identification | Windows Forensic Handbook](#source-identification-windows-forensic-handbook) - [Username | Windows Forensic Handbook](#username-windows-forensic-handbook) - [Firewall Activity | Windows Forensic Handbook](#firewall-activity-windows-forensic-handbook) - [Firefox places.sqlite Database | Windows Forensic Handbook](#firefox-places-sqlite-database-windows-forensic-handbook) - [EventID 4624: An account was successfully logged on | Windows Forensic Handbook](#eventid-4624-an-account-was-successfully-logged-on-windows-forensic-handbook) - [EventID 2006: Firewall Rule Deleted | Windows Forensic Handbook](#eventid-2006-firewall-rule-deleted-windows-forensic-handbook) - [EventID 4688: A new process has been created | Windows Forensic Handbook](#eventid-4688-a-new-process-has-been-created-windows-forensic-handbook) - [Evidence of Execution | Windows Forensic Handbook](#evidence-of-execution-windows-forensic-handbook) - [EventID 2005: Firewall Rule Modified | Windows Forensic Handbook](#eventid-2005-firewall-rule-modified-windows-forensic-handbook) - [EventID 2004: Firewall Rule Added | Windows Forensic Handbook](#eventid-2004-firewall-rule-added-windows-forensic-handbook) - [Security Identifier | Windows Forensic Handbook](#security-identifier-windows-forensic-handbook) - [File Path | Windows Forensic Handbook](#file-path-windows-forensic-handbook) --- # Welcome | Windows Forensic Handbook This handbook provides an in-depth guide to the various Windows forensic artifacts that can be utilized when conducting an investigation. Detailed information is provided for each artifact, including its location, available parsing tools, and instructions for interpreting the results of a forensic data extraction. Furthermore, the handbook seeks to provide a comprehensive resource for those seeking to expand their understanding of Windows forensics artifacts and how to properly leverage them during a forensic investigation. ### [](https://psmths.gitbook.io/windows-forensics#github) GitHub [![Logo](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2Fgithub.com%2Ffluidicon.png&width=20&dpr=4&quality=100&sign=4dae9623&sv=2)GitHub - Psmths/windows-forensic-artifacts: Handbook of windows forensic artifacts across multiple Windows version with interpretation tips and some examples. Work in progress!GitHub](https://github.com/Psmths/windows-forensic-artifacts) ### [](https://psmths.gitbook.io/windows-forensics#artifacts-by-type) Artifacts by Type [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts) ![Cover](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2F2561440521-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fiw3VkMLE3v7eYbxTGUJS%252Fuploads%252Fttut9G9kIwSm5fn5410I%252Fregistry.png%3Falt%3Dmedia%26token%3D53470314-1efb-491e-a16a-33615d10f6ce&width=490&dpr=4&quality=100&sign=630c1276&sv=2) **Registry Artifacts** _Artifacts found in the Windows registry_ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts) ![Cover](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2F2561440521-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fiw3VkMLE3v7eYbxTGUJS%252Fuploads%252Fe3UhkFBSc4z0OUkngSzX%252Feventlog.png%3Falt%3Dmedia%26token%3D6ba7482e-c5ed-4e87-981b-cdd5cf2fc5df&width=490&dpr=4&quality=100&sign=4d201cd0&sv=2) **Event Log Artifacts** _Artifacts created by Windows Event Log Providers_ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts) ![Cover](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2F2561440521-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fiw3VkMLE3v7eYbxTGUJS%252Fuploads%252FJzqE9kyBGzUrtjLukms0%252Ffilesystem.png%3Falt%3Dmedia%26token%3D42fc007a-b354-4941-9122-82027182f37b&width=490&dpr=4&quality=100&sign=6f3083df&sv=2) **Filesystem Artifacts** _Artifacts found on an endpoint's filesystem_ ### [](https://psmths.gitbook.io/windows-forensics#artifacts-by-activity) Artifacts by Activity [](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution) ![Cover](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2F2561440521-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fiw3VkMLE3v7eYbxTGUJS%252Fuploads%252FhVWLFOl6CIBpX24XP6TK%252Fexecution.png%3Falt%3Dmedia%26token%3Dece3ff8d-6361-4547-95b7-929a891f68ce&width=490&dpr=4&quality=100&sign=38d450f1&sv=2) **Execution** _Artifacts spawned by application execution_ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity) ![Cover](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2F2561440521-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fiw3VkMLE3v7eYbxTGUJS%252Fuploads%252FTdTYgGS02BDfl3TX9pwh%252Ffile.png%3Falt%3Dmedia%26token%3D1d05c769-3862-46f8-bd45-70a813aa6363&width=490&dpr=4&quality=100&sign=f35562e6&sv=2) **File Activity** _Artifacts generated by filesystem activity_ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity) ![Cover](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2F2561440521-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fiw3VkMLE3v7eYbxTGUJS%252Fuploads%252F0CIJ0DkwhCdd0XKrixt0%252Faccount.png%3Falt%3Dmedia%26token%3Dc7fd45d2-5eaa-459c-a9e9-efc0143f793f&width=490&dpr=4&quality=100&sign=cd880a1f&sv=2) **Account Activity** _Artifacts providing event attribution_ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity) ![Cover](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2F2561440521-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fiw3VkMLE3v7eYbxTGUJS%252Fuploads%252FJFfHS3Jr7C3UuYObpqjb%252Fnetwork.png%3Falt%3Dmedia%26token%3D157a42b8-4f60-4e84-9a3f-9bab3e6bc5b6&width=490&dpr=4&quality=100&sign=e345f7c4&sv=2) **Network Activity** _Artifacts spawned by network activity_ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity) ![Cover](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2F2561440521-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fiw3VkMLE3v7eYbxTGUJS%252Fuploads%252FGccXzG0uoUvvdR9KVcV2%252Fbrowser.png%3Falt%3Dmedia%26token%3Db78c1198-3f10-478d-abd1-caa0b07c84be&width=490&dpr=4&quality=100&sign=6bb94c8&sv=2) **Browser Activity** _Artifacts created by web browsers_ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/system-enumeration) ![Cover](https://psmths.gitbook.io/windows-forensics/~gitbook/image?url=https%3A%2F%2F2561440521-files.gitbook.io%2F%7E%2Ffiles%2Fv0%2Fb%2Fgitbook-x-prod.appspot.com%2Fo%2Fspaces%252Fiw3VkMLE3v7eYbxTGUJS%252Fuploads%252FGtdevVfXnrtzph2IVsCn%252Fenumeration.png%3Falt%3Dmedia%26token%3Dec5b1197-576b-4825-9b5c-109b9b181817&width=490&dpr=4&quality=100&sign=6e75c748&sv=2) **System Enumeration Artifacts** _Artifacts to enumerate endpoints_ ### [](https://psmths.gitbook.io/windows-forensics#how-to-use-this-guide) How to Use this Guide This handbook was created to classify the numerous Windows forensic artifacts and provide a concise list of what information they respectively provide. While it may be used as a general reference, it shines when it comes time to tie separate artifacts together based on mutual or shared data-points. For instance, if it is known that an attacker has logged into an endpoint around a certain time, an analyst may want to determine what activity on the endpoint can be attributed to this session. For this, the analyst might begin by looking at [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) and pull the `Logon ID` from this artifact. This guide provides a list of artifacts that have the `Logon ID` field present here: [Logon ID](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/logon-id) , providing a quick way to correlate logon activity with other activity on the endpoint. As another example, say for instance you are aware that an endpoint may have a malicious file on it. Maybe you want to see when it was created ( [File Creation](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/creation) ), or when it was first executed ( [First Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed) ), this handbook will provide a list of artifacts that may be able to produce answers. Building a visual map in your mind of the relationships between all the artifacts present in Windows is necessary to allow for an analyst to efficiently pivot their focus during an investigation, this guide simply lays it all out and provides useful analysis tips collected during years of forensic experience while doing so. Last updated 2 years ago --- # Registry Artifacts | Windows Forensic Handbook [Amcache.hve](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache) [Background Activity Montitor](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam) [Image File Execution Options Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options) [System Resource Usage Monitor (SRUM)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db) [Run/RunOnce Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce) [Tracing Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys) [Services Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services) [Select Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select) [CurrentVersion Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version) [ComputerName Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/computer-name) [Interfaces Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces) [NetworkCards Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards) [TimeZoneInformation Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information) Last updated 2 years ago --- # Image File Execution Options Registry Keys | Windows Forensic Handbook Image File Execution Options (IFEO) is a registry key that allows users to attach debuggers to programs. Attackers may leverage this registry key to establish persistence, as code execution can be triggered by execution (and exiting) of a particular program on an endpoint. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options#analysis-value) Analysis Value ---------------------------------------------------------------------------------------------------------------------------------------------------- [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options#operating-system-availability) Operating System Availability ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ✅ Windows XP ✅ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options#artifact-location-s) Artifact Location(s) --------------------------------------------------------------------------------------------------------------------------------------------------------------- 🔌 Offline System 🔋 Live System * File: `%SystemRoot%\System32\config\SOFTWARE` * Key: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\` * Key: `SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\` * `HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options#artifact-parsers) Artifact Parsers -------------------------------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options#artifact-interpretation) Artifact Interpretation ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- Within the aforementioned registry locations exist keys named after certain executables on the endpoint. Placing a STRING value within these keys named `Debugger` allows an endpoint to specify an arbitrary executable that will be executed when the process is started. Last updated 2 years ago --- # Background Activity Montitor | Windows Forensic Handbook The Background Activity Monitor and Desktop Activity Monitor registry artifacts provide evidence of execution on an endpoint. It is only available in Windows 10 and Windows 11. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------- [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [Last Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/last-executed) [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ❌ Windows 10 ⚠️ Server 2016 ❌ Windows 8 ❌ Server 2012 ❌ Windows 7 ❌ Server 2008 ❌ Windows Vista ❌ Server 2003 ❌ Windows XP ❌ Background Activity Montitor is only available for Windows 10 systems with update 1709 (Redstone 3) and later. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------ 🔌 Offline System 🔋 Live System Newer Windows 10 Systems * File: `%SystemRoot%\System32\config\SYSTEM` * BAM: `SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\state\UserSettings\{USER_SID}` * DAM: `SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\state\UserSettings\{USER_SID}` Older Windows 10 Systems * File: `%SystemRoot%\System32\config\SYSTEM` * BAM: `SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\UserSettings\{USER_SID}` * DAM: `SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\UserSettings\{USER_SID}` Newer Windows 10 Systems * BAM: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings\{USER_SID}` * DAM: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\state\UserSettings\{USER_SID}` Older Windows 10 Systems * BAM: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{USER_SID}` * DAM: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\UserSettings\{USER_SID}` For more information on determining the correct `CurrentControlSet`, visit [Select Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam#artifact-parsers) Artifact Parsers ----------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------- The `Execution Time` as seen in RegistryExplorer represents the most recent time of execution for the binary in UTC. The `Program` field represents the full path the the binary. Based on testing, this execution time is written upon process creation, and again on termination. In the event that you are parsing or interpreting this artifact manually, the following CyberChef recipe can be used to convert Windows FILETIME timestamps to a date and time: Copy [\ { "op": "From Hex",\ "args": ["Auto"] },\ { "op": "To Hex",\ "args": ["None", 0] },\ { "op": "Windows Filetime to UNIX Timestamp",\ "args": ["Milliseconds (ms)", "Hex (little endian)"] },\ { "op": "From UNIX Timestamp",\ "args": ["Milliseconds (ms)"] }\ ] Console applications that are launched through a command line interface will not have BAM/DAM entries. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam#analysis-tips) Analysis Tips ----------------------------------------------------------------------------------------------------------------------------- #### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam#suspicious-execution-locations) Suspicious Execution Locations Search for BAM entries for executables that reside in suspicious locations, such as: * User `Downloads` directories * Other user profile directories such as `Desktop` or `Documents` * `C:\Temp` * `C:\PerfLogs` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam#example-execution-timestamp) Example: Execution Timestamp ---------------------------------------------------------------------------------------------------------------------------------------------------------- * Path: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-3471133136-2963561160-3931775028-1001` * Key: `\Device\HarddiskVolume4\Program Files\PuTTY\putty.exe` * Type: `REG_BINARY` * Value: `60-9F-62-A8-FB-6C-D9-01-00-00-00-00-00-00-00-00-00-00-00-00-02-00-00-00` The 64-Bit FILETIME timestamp `60-9F-62-A8-FB-6C-D9-01` resolves to `Wed 12 April 2023 05:00:10 UTC`, which is the last known execution of the binary `putty.exe`. This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # System Resource Usage Monitor (SRUM) | Windows Forensic Handbook The SRUM database is a forensic artifact that provides evidence of execution and network activity. It is used by Windows to provide telemetry regarding applications that run on an endpoint. It provides 30-60 days of resolution. This artifact is present in both the **registry** as well as the **filesystem**, as an ESE database. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------- [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [Transmit Volume](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/transmit-volume) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ❌ Windows 8 ✅ Server 2012 ❌ Windows 7 ❌ Server 2008 ❌ Windows Vista ❌ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------ * Filesystem: `%SystemRoot%\System32\sru\SRUDB.dat` * Registry: `SOFTWARE\Microsoft\Windows NT\Current Version\SRUM\Extensions` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db#artifact-parsers) Artifact Parsers ----------------------------------------------------------------------------------------------------------------------------------- * [srum-dump](https://github.com/MarkBaggett/srum-dump) * ESEDatabaseView * Registry Explorer [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------- The recommended method to interpret this artifact is to use the srum-dump parser. It will allow you to specify the path the the SRUDB.dat file, the SOFTWARE registry hive, and easily convert the information into a presentable format in an Excel spreadsheet. The SRUM database records information from a number of providers. If you are parsing this manually, you will encounter the following IDs: Key Provider `{973F5D5C-1D90-4944-BE8E-24B94231A174}` Network Data Usage Monitor `{D10CA2FE-6FCF-4F6D-848E-B2E99266FA86}` Push Notification Provider `{D10CA2FE-6FCF-4F6D-848E-B2E99266FA89}` Application Resource Usage Provider `{DD6636C4-8929-4683-974E-22C046A43763}` Network Connectivity Usage Monitor `{FEE4E14F-02A9-4550-B5CE-5FA2DA202E37}` Energy Usage Provider The following information is available from these providers: * Network Data Usage Monitor * _Tracks network usage on a per-application basis_ * Application ID * User SID * Type of interface network traffic traversed (i.e., Ethernet, loopback, IEEE 802.11 wireless, etc.) * Bytes sent and received * Push Notification Provider * _Tracks push notification (WPM) activity on a per-application basis_ * Application Name * User SID * Push notification payload size * Application Resource Usage * Application Name * User SID * Performance metrics such as CPU time, disk write/read bytes, etc. * Network Connectivity Usage Monitor * _Tracks each network the endpoint has been connected to._ * Time of first connection * Duration of connection * Type of interface network traffic traversed (i.e., Ethernet, loopback, IEEE 802.11 wireless, etc.) ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db#network-data-usage-monitor) Network Data Usage Monitor This artifact is useful for identifying potential data exfiltration events from Windows systems, as it captures network utilization over time, providing insight into the magnitude of the data transfer. Note that this artifact provides an **hourly, bucketed** count of how many bytes were sent and received by an application, therefore, the first and last SRUM entry will not correspond exactly to the first and last execution time. This can, however, be used to provide a rough estimate of the timeline of execution for an application. Data collected is written to the SRUM database on the filesystem once per hour to reflect what is stored in the registry, or during system shutdown/reboot events. In the event that a proper shutdown was not conducted, the SRUM filesystem database may need to be repaired using a utility such as `esentutl`. Last updated 2 years ago --- # Amcache.hve | Windows Forensic Handbook The Amcache hive stores metadata regarding executables/installed programs present on an endpoint. Typically, only those that have been executed (or executables associated with installed software) will appear in this registry hive. This artifact has seen numerous revisions, and it is therefore important to first gather information regarding the specific version of Windows that you are analyzing before proceeding with Amcache analysis. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------- [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [File Hash](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-hash) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ⚠️ Server 2008 ⚠️ Windows Vista ❌ Server 2003 ❌ Windows XP ❌ Windows 7 requires update KB2952664 for the Amcache hive to be present. Amcache is available on Windows Server starting from Windows Server 2008 R2. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------ * `%SystemRoot%\AppCompat\Programs\Amcache.hve` Additional LOG files: * `%SystemRoot%\AppCompat\Programs\Amcache.hve.*LOG1` * `%SystemRoot%\AppCompat\Programs\Amcache.hve.*LOG2` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache#artifact-parsers) Artifact Parsers ----------------------------------------------------------------------------------------------------------------------------------- * amcacheparser.exe (Eric Zimmerman) * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------- Within the Amcache hive there are multiple registry keys, each containing different information. The most common keys to analyze are: * InventoryApplication * InventoryApplicationFile * InventoryDriverBinary * InventoryApplicationShortcut ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache#inventoryapplication-windows-10-build-10.0.14393) InventoryApplication (Windows 10 Build 10.0.14393 +) The `InventoryApplication` key stores information about installed software on the system. This key contains a value named `LastScanTime` that corresponds to the last time the Microsoft Compatibility Appraiser has run. This is a scheduled task that executes the `compattelrunner.exe` binary. **The information contained in this key should only be updated when this task is executed. Software installed since this task has last run may not appear in this key!** This value is in Windows FileTime format. This key contains subkeys for each installed software, the key names being the software's `ProgramId`. It contains the following values of interest: Value Description ProgramId The installed software's ProgramId Name Name of the installed software Version Version of the installed software Publisher The installed software's publisher Source `AddRemoveProgram` or `Msi` or `File` or `AppXPackage` InstallDate The date the software was installed. This seems to only populate for AddRemoveProgram/Msi software installations RootDirPath The path to the root directory of the software RegistryKeyPath The path to the `Uninstall` registry key in the SOFTWARE hive The `Source` value can give information regarding how software was installed on the system: * AddRemoveProgram: Software installed via an executable * Msi: Software installed via a .msi file using the Windows Installer service * AppXPackage: Software installed via the Windows Store of the `Get-AppxPackage` PowerShell command ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache#inventoryapplicationfile-windows-10-build-10.0.14393) InventoryApplicationFile (Windows 10 Build 10.0.14393 +) This registry key contains information about the executables tied to installed software, as well as executables that have run on the system. A single software installation may drop multiple executables to a system, and they should all be tracked here. Like the `InventoryApplication` key, this key also only updates when the Microsoft Compatibility Appraiser task has run. The subkeys will contain the executable name, and a hash separated by a `|` character. The most interesting values to analyze within this key are: Value Description ProgramId The ProgramId that this executable is tied to, which can be found in `InventoryApplication`. If the executable was not installed as part of a software installation, this ProgramId will not be found in `InventoryApplication` FileId Stripping the four leading 0s, the SHA-1 hash of the executable LowerCaseLongPath The path to the executable Name The filename of the executable BinaryType 32/64bit indicator Size The size, in bytes, of the executable There is a limit to the size of the data that gets hashed to produce this artifact's SHA-1 hash in the `FileId` value. If the size of the binary exceeds approximately 30MB in size, only the first 30MB will be hashed. The result is that the SHA-1 hash will not be valid for that binary. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache#example) Example ----------------------------------------------------------------------------------------------------------------- Installing a new software, CrystalDiskMark on a system and manually running `compattelrunner.exe` updated the Amcache Hive with the following key (named `00001d78ebb0f68947e39952c24983d564390000ffff`) under `InventoryApplication`: Copy [\ {\ "Data": "00001d78ebb0f68947e39952c24983d564390000ffff",\ "ValueName": "ProgramId",\ "ValueType": "RegSz",\ },\ {\ "Data": "00006141a84b1e5f3b60561c7be664657764da598522",\ "ValueName": "ProgramInstanceId",\ "ValueType": "RegSz",\ },\ {\ "Data": "CrystalDiskMark 8.0.4c",\ "ValueName": "Name",\ "ValueType": "RegSz",\ },\ {\ "Data": "8.0.4c",\ "ValueName": "Version",\ "ValueType": "RegSz",\ },\ {\ "Data": "Crystal Dew World",\ "ValueName": "Publisher",\ "ValueType": "RegSz",\ },\ {\ "Data": "65535",\ "ValueName": "Language",\ "ValueType": "RegDword",\ },\ {\ "Data": "AddRemoveProgram",\ "ValueName": "Source",\ "ValueType": "RegSz",\ },\ {\ "Data": "Application",\ "ValueName": "Type",\ "ValueType": "RegSz",\ },\ {\ "Data": "",\ "ValueName": "StoreAppType",\ "ValueType": "RegSz",\ },\ {\ "Data": "",\ "ValueName": "MsiPackageCode",\ "ValueType": "RegSz",\ },\ {\ "Data": "",\ "ValueName": "MsiProductCode",\ "ValueType": "RegSz",\ },\ {\ "Data": "0",\ "ValueName": "HiddenArp",\ "ValueType": "RegDword",\ },\ {\ "Data": "0",\ "ValueName": "InboxModernApp",\ "ValueType": "RegDword",\ },\ {\ "Data": "10.0.0.19044",\ "ValueName": "OSVersionAtInstallTime",\ "ValueType": "RegSz",\ },\ {\ "Data": "10/18/2023 00:00:00",\ "ValueName": "InstallDate",\ "ValueType": "RegSz",\ },\ {\ "Data": "",\ "ValueName": "PackageFullName",\ "ValueType": "RegSz",\ },\ {\ "Data": "",\ "ValueName": "ManifestPath",\ "ValueType": "RegSz",\ },\ {\ "Data": "",\ "ValueName": "BundleManifestPath",\ "ValueType": "RegSz",\ },\ {\ "Data": "C:\\Program Files\\CrystalDiskMark8\\",\ "ValueName": "RootDirPath",\ "ValueType": "RegSz",\ },\ {\ "Data": "\"C:\\Program Files\\CrystalDiskMark8\\unins000.exe\"",\ "ValueName": "UninstallString",\ "ValueType": "RegSz",\ },\ {\ "Data": "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall\\CrystalDiskMark8_is1",\ "ValueName": "RegistryKeyPath",\ "ValueType": "RegSz",\ },\ {\ "Data": "0",\ "ValueName": "SentDetailedInv",\ "ValueType": "RegDword",\ }\ ] This example was produced on Windows 10, Version 10.0.19044 Build 19044 The software was installed via an executable, leading the `Source` value to be `AddRemoveProgram`. Note the `ProgramId` value of `00001d78ebb0f68947e39952c24983d564390000ffff`. Additionally, several keys were created under `InventoryApplicationFile`, one example (`diskmark32.exe|51ddc7c2637fbb8d`): Copy [\ {\ "Data": "00001d78ebb0f68947e39952c24983d564390000ffff",\ "ValueName": "ProgramId",\ "ValueType": "RegSz",\ },\ {\ "Data": "00009d1e062ff187c9a920a3fcc511911d4fc0e820ce",\ "ValueName": "FileId",\ "ValueType": "RegSz",\ },\ {\ "Data": "c:\program files\crystaldiskmark8\diskmark32.exe",\ "ValueName": "LowerCaseLongPath",\ "ValueType": "RegSz",\ },\ {\ "Data": "diskmark32.exe|51ddc7c2637fbb8d",\ "ValueName": "LongPathHash",\ "ValueType": "RegSz",\ },\ {\ "Data": "DiskMark32.exe",\ "ValueName": "Name",\ "ValueType": "RegSz",\ },\ {\ "Data": "crystal dew world",\ "ValueName": "Publisher",\ "ValueType": "RegSz",\ },\ {\ "Data": "pe32_i386",\ "ValueName": "BinaryType",\ "ValueType": "RegSz",\ },\ {\ "Data": "crystaldiskmark8",\ "ValueName": "ProductName",\ "ValueType": "RegSz",\ },\ {\ "Data": "8.0.4.0",\ "ValueName": "ProductVersion",\ "ValueType": "RegSz",\ },\ {\ "Data": "07/11/2021 06:58:40",\ "ValueName": "LinkDate",\ "ValueType": "RegSz",\ },\ {\ "Data": "8.0.4.0",\ "ValueName": "BinProductVersion",\ "ValueType": "RegSz",\ },\ {\ "Data": "698912",\ "ValueName": "Size",\ "ValueType": "RegQword",\ },\ {\ "Data": "1041",\ "ValueName": "Language",\ "ValueType": "RegDword",\ },\ {\ "Data": "60189208",\ "ValueName": "Usn",\ "ValueType": "RegQword",\ }\ ] This example was produced on Windows 10, Version 10.0.19044 Build 19044 From this example, we can see that the `ProgramId` between the two Amcache keys correspond to each other. Last updated 2 years ago --- # Filesystem Artifacts | Windows Forensic Handbook [USN Journal](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal) [Prefetch](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch) [AutomaticDestinations Jumplists](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations) [Recycle Bin $I/$R Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files) [Task Scheduler Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files) [Windows Error Reporting Files (.WER)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files) [System Resource Usage Monitor (SRUM)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db) Last updated 2 years ago --- # ComputerName Registry Key | Windows Forensic Handbook The `ComputerName` registry key will provide the Computer Name of the endpoint. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/computer-name#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------------- [🖥️System Enumeration](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/system-enumeration) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/computer-name#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ✅ Windows XP ✅ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/computer-name#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------------ 🔌 Offline System 🔋 Live System * File: `%SystemRoot%\System32\config\SYSTEM` * Key: `SYSTEM\{CURRENT_CONTROL_SET}\Control\ComputerName\ComputerName` * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName` For more information on determining the correct `CurrentControlSet`, visit [Select Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/computer-name#artifact-parsers) Artifact Parsers ----------------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/computer-name#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------------- The `ComputerName` value's data field will provide the system's configured Computer Name. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/computer-name#example) Example ----------------------------------------------------------------------------------------------------------------------- Copy PS> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName" -Name * ComputerName : HLPC01 This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # NetworkCards Registry Key | Windows Forensic Handbook The `NetworkCards` registry key will provide the name and interface GUID of the system's attached network interface adatpers. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------------- [🖥️System Enumeration](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/system-enumeration) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ✅ Windows XP ✅ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------------ 🔌 Offline System 🔋 Live System * File: `%SystemRoot%\System32\config\SOFTWARE` * Key: `SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\*` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\*` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards#artifact-parsers) Artifact Parsers ----------------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------------- Each network interface adapter will have its own subkey with the following values: * `Description`: The name of the network adapter * `ServiceName`: The GUID of the network adapter [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards#examples) Examples ------------------------------------------------------------------------------------------------------------------------- Copy Description REG_SZ Microsoft Hyper-V Network Adapter ServiceName REG_SZ {4C7FB48D-33EB-4277-A3FB-37D5EF39C990} This example was produced on Windows Server 2019 Standard, Version 10.0.17763 Build 17763 Copy Description REG_SZ Realtek USB GbE Family Controller ServiceName REG_SZ {737FB1FE-88FF-4F5E-943A-A46C057E68B9} This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # Select Registry Key | Windows Forensic Handbook The `Select` registry key provides the number of the system's `CurrentControlSet`. The `CurrentControlSet` contains important configuration for the Windows operating system, and several different Control Sets may be available within a system's registry. In general, `ControlSet001` will be the most recent Control Set that has been booted under, whereas `ControlSet002` functions as a backup of a known-good state for the Control Set. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------ [🖥️System Enumeration](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/system-enumeration) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------ Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ✅ Windows XP ✅ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select#artifact-location-s) Artifact Location(s) ----------------------------------------------------------------------------------------------------------------------------------------- 🔌 Offline System 🔋 Live System * File: `%SystemRoot%\System32\config\SYSTEM` * Key: `SYSTEM\Select` * `HKEY_LOCAL_MACHINE\SYSTEM\Select` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select#artifact-parsers) Artifact Parsers ---------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------ Within the `Select` key, the value named `Current` identifies the `CurrentControlSet` by an integer. If the value is `1` for instance, that means that the `CurrentControlSet` on a live system will point to `ControlSet001`. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select#example) Example ---------------------------------------------------------------------------------------------------------------- In the following example, the `Select` value's data is `1`, indicating that the CurrentControlSet is `ControlSet001`. Copy PS> Get-ItemProperty -Path "HKLM:\SYSTEM\Select" -Name * Current : 1 Default : 1 Failed : 0 LastKnownGood : 1 This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # CurrentVersion Registry Key | Windows Forensic Handbook The `CurrentVersion` registry key will provide you with the current operating system's version, service pack, and date of installation. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version#analysis-value) Analysis Value --------------------------------------------------------------------------------------------------------------------------------------- [🖥️System Enumeration](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/system-enumeration) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version#operating-system-availability) Operating System Availability --------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ✅ Windows XP ✅ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version#artifact-location-s) Artifact Location(s) -------------------------------------------------------------------------------------------------------------------------------------------------- 🔌 Offline System 🔋 Live System * File: `%SystemRoot%\System32\config\SOFTWARE` * Key: `SOFTWARE\Microsoft\Windows NT\CurrentVersion` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version#artifact-parsers) Artifact Parsers ------------------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version#artifact-interpretation) Artifact Interpretation --------------------------------------------------------------------------------------------------------------------------------------------------------- The `ProductName` value will provide the OS, such as `Windows Server 2019`. The `ReleaseId` value will provide the version of the specified OS. The `InstallDate` is an Epoch timestamp of when the OS was either first installed or received a major update, or was reset. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version#example) Example ------------------------------------------------------------------------------------------------------------------------- Copy PS> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion" -Name * SystemRoot : C:\Windows BaseBuildRevisionNumber : 1 BuildBranch : vb_release BuildGUID : ffffffff-ffff-ffff-ffff-ffffffffffff BuildLab : 19041.vb_release.191206-1406 BuildLabEx : 19041.1.amd64fre.vb_release.191206-1406 CompositionEditionID : Enterprise CurrentBuild : 19044 CurrentBuildNumber : 19044 CurrentMajorVersionNumber : 10 CurrentMinorVersionNumber : 0 CurrentType : Multiprocessor Free CurrentVersion : 6.3 EditionID : Professional EditionSubManufacturer : EditionSubstring : EditionSubVersion : InstallationType : Client InstallDate : 1666804042 ProductName : Windows 10 Pro ReleaseId : 2009 SoftwareType : System UBR : 3086 PathName : C:\Windows ProductId : 00330-80000-00000-AA949 DisplayVersion : 21H2 RegisteredOwner : user1 RegisteredOrganization : InstallTime : 133112776429018501 > This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # Services Registry Keys | Windows Forensic Handbook The `Services` registry key, located in the `SYSTEM` hive, stores information regarding installed services on the endpoint. It is useful when searching for evidence of persistence mechanisms on an endpoint. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services#analysis-value) Analysis Value ----------------------------------------------------------------------------------------------------------------------------------------- [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services#operating-system-availability) Operating System Availability ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ✅ Windows XP ✅ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services#artifact-location-s) Artifact Location(s) ---------------------------------------------------------------------------------------------------------------------------------------------------- 🔌 Offline System 🔋 Live System * File: `%SystemRoot%\system32\config\SYSTEM` * Key: `SYSTEM\{CURRENT_CONTROL_SET}\Services` * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services` For more information on determining the correct `CurrentControlSet`, visit [Select Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services#artifact-parsers) Artifact Parsers --------------------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services#artifact-interpretation) Artifact Interpretation ----------------------------------------------------------------------------------------------------------------------------------------------------------- Within the `Services` key you will find subkeys, one for each service installed on an endpoint. The values within this key may be interpreted as follows: Value Interpretation DisplayName The name of the service as it would appear in `services.msc` Description The description of the service as it would appear in `services.msc` ImagePath The path to the executable for this service Start Start mode of the service Type Type of service The Last Write Timestamp for each service key represents the time at which the service was installed or modified. Additionally, for each service there may be an optional `Parameters` subkey. This key may contain any options that are passed to the executable when the service is started. Certain service installers such as NSSM (Non-Sucking Service Manager) will show the "true" executable for the service under this `Parameters` key. ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services#interpreting-the-start-value) Interpreting the `Start` Value Value Interpretation 0 **Boot** - Service is a device driver 1 **System** - Service is a device driver 2 **Automatic** - Service and all of its dependency services is started on boot by the OS 3 **Manual** - Service is started manually by user interaction 4 **Disabled** - Service is disabled and cannot be started automatically or manually Last updated 2 years ago --- # Run/RunOnce Registry Keys | Windows Forensic Handbook The `Run` and `RunOnce` keys specify what programs will start during a logon event. These keys are located in both the NTUSER.dat and SOFTWARE hives. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce#analysis-value) Analysis Value --------------------------------------------------------------------------------------------------------------------------------------- [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce#operating-system-availability) Operating System Availability --------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ✅ Windows XP ✅ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce#artifact-file-location-s) Artifact File Location(s) ------------------------------------------------------------------------------------------------------------------------------------------------------------ 🔌 Offline System 🔋 Live System These keys may exist in two locations: **NTUSER.DAT** * Files * (Windows Vista - 10): `%UserProfile%\NTUSER.dat` * (Windows XP): `C:\Documents and Settings\{USER_NAME}\NTUSER.dat` * Keys * `\Software\Microsoft\Windows\CurrentVersion\Run` * `\Software\Microsoft\Windows\CurrentVersion\RunOnce` **SOFTWARE Hive** * File: `%SystemRoot%\System32\Config\SOFTWARE` * Keys * `\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` * `\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` These keys may exist in two locations: **NTUSER.DAT** * Keys * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run` * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce` **SOFTWARE Hive** * Keys * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce#artifact-parsers) Artifact Parsers ------------------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) * AutoRuns (Sysinternals) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce#artifact-interpretation) Artifact Interpretation --------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce#ntuser.dat) NTUSER.DAT The following keys will contain full paths to the executables that will start on **logon** for the account that owns this particular `NTUSER.DAT` hive: * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Run` * `NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\RunOnce` Disabled autoruns will appear in a sub-key named "AutorunsDisabled." On a live system, the HKEY\_CURRENT\_USER registry hive is the loaded NTUSER.dat hive. ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce#software) SOFTWARE The following keys will contain full paths to the executables that will start on **logon** for any user on the system: * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce#analysis-tips) Analysis Tips ------------------------------------------------------------------------------------------------------------------------------------- It is possible to obtain evidence of execution for processes that have executed as a result of these registry keys using the [EventID 9707: Command Execution Started](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core) event. If the system is booted into Safe Mode, these keys will be ignored. A `RunOnce` key proceeded by an asterisk will ignore this restriction. The `RunOnce` entry is typically deleted before the command is executed, regardless of its return value. If proceeded by and exclamation point, the `RunOnce` key will be deleted after the command has executed, and only if the command returned successfully. Last updated 2 years ago --- # Interfaces Registry Key | Windows Forensic Handbook The `Interfaces` registry key will provide information regarding the systems attached network interface adatpers, such as IP address and MAC address. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces#analysis-value) Analysis Value ---------------------------------------------------------------------------------------------------------------------------------- [🖥️System Enumeration](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/system-enumeration) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces#operating-system-availability) Operating System Availability ---------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ✅ Windows XP ✅ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces#artifact-location-s) Artifact Location(s) --------------------------------------------------------------------------------------------------------------------------------------------- 🔌 Offline System 🔋 Live System * File: `%SystemRoot%\System32\config\SYSTEM` * Key: `SYSTEM\{CURRENT_CONTROL_SET}\Services\Tcpip\Parameters\Interfaces\{INTERFACE_GUID}` * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{INTERFACE_GUID}` For more information on determining the correct `CurrentControlSet`, visit [Select Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select) For more information on `{INTERFACE_GUID}`, visit [NetworkCards Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces#artifact-parsers) Artifact Parsers -------------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces#artifact-interpretation) Artifact Interpretation ---------------------------------------------------------------------------------------------------------------------------------------------------- Each interface will have its own dedicated registry key, and may contain the following values of interest: value type information DhcpDomain REG\_SZ DHCP option 15 - the domain name of the endpoints FQDN DhcpIPAddress REG\_SZ The DHCP - provided IP address of the endpoint DhcpServer REG\_SZ The DHCP server that provided the endpoint its network configuration EnableDHCP REG\_DWORD 0x0 if DHCP is disabled and 0x1 if DHCP is enabled LeaseObtainedTime REG\_DWORD FILETIME timestamp of when the endpoint received a DHCP lease LeaseTerminatesTime REG\_DWORD FILETIME timestamp of when the endpoint's DHCP lease expires [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces#example) Example -------------------------------------------------------------------------------------------------------------------- Copy PS> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{a7d8885d-10c1-43d4-9e1e-0a7b2678f020}" -Name * EnableDHCP : 1 Domain : NameServer : DhcpServer : 10.100.0.1 Lease : 172800 LeaseObtainedTime : 1687622031 T1 : 1687708431 T2 : 1687773231 LeaseTerminatesTime : 1687794831 AddressType : 0 IsServerNapAware : 0 DhcpConnForceBroadcastFlag : 0 IPAddress : {} SubnetMask : {} DefaultGateway : {} DefaultGatewayMetric : {} RegistrationEnabled : 1 RegisterAdapterName : 0 DhcpInterfaceOptions : {252, 0, 0, 0...} DhcpDefaultGateway : {10.100.0.1} DhcpNameServer : 10.100.0.10 10.100.0.10 DhcpSubnetMaskOpt : {255.255.0.0} DhcpIPAddress : 10.100.65.234 DhcpSubnetMask : 255.255.0.0 DhcpGatewayHardware : {10, 100, 0, 1...} DhcpGatewayHardwareCount : 1 Correlating with the [NetworkCards](https://github.com/Psmths/windows-forensics-handbook/blob/main/enumeration/network-cards.md) registry key: Copy PS> Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\" -Name * ServiceName : {A7D8885D-10C1-43D4-9E1E-0A7B2678F020} Description : Intel(R) Wi-Fi 6 AX200 160MHz PSPath : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\NetworkCards\5 This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # Tracing Registry Keys | Windows Forensic Handbook Tracing registry keys can be used to indicate that a program has initiated a network connection leveraging the Windows Remote Access Server (RAS) through the `rasapi32.dll` and `rasman.dll` libraries. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------------ [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [First Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed) [Evidence of Network Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------------ Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ❓ Server 2003 ❓ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys#artifact-location-s) Artifact Location(s) ----------------------------------------------------------------------------------------------------------------------------------------------- 🔌 Offline System 🔋 Live System * File: `%SystemRoot%\System32\Config\SOFTWARE` * Key: `SOFTWARE\Microsoft\Tracing` * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys#artifact-parsers) Artifact Parsers ---------------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------------ Within the `SOFTWARE\Microsoft\Tracing` key, there may be multiple subkeys with the following name formats of interest: * `{EXECUTABLE_FILENAME}_RASMANCS` * `{EXECUTABLE_FILENAME}_RASAPI32` These filenames will not include the executable extension `.exe`. The Last Write Timestamp of the registry key provides the first time an executable has loaded `rasapi32.dll` and `rasman.dll` in order to establish a remote network connection, typically to download a file. Subsequent activity of this nature will not update the Last Write Timestamp of the registry key. Last updated 2 years ago --- # TimeZoneInformation Registry Key | Windows Forensic Handbook The `TimeZoneInformation` registry key provides the current system time zone. This is useful for consolidating separate artifacts found on a system to align with one time zone, such as UTC. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information#analysis-value) Analysis Value --------------------------------------------------------------------------------------------------------------------------------------------- [🖥️System Enumeration](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/system-enumeration) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information#operating-system-availability) Operating System Availability --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ✅ Windows XP ✅ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information#artifact-location-s) Artifact Location(s) -------------------------------------------------------------------------------------------------------------------------------------------------------- 🔌 Offline System 🔋 Live System * File: `%SystemRoot%\System32\config\SYSTEM` * Key: `SYSTEM\{CURRENT_CONTROL_SET}\Control\TimeZoneInformation` * `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation` For more information on determining the correct `CurrentControlSet`, visit [Select Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information#artifact-parsers) Artifact Parsers ------------------------------------------------------------------------------------------------------------------------------------------------- * RegistryExplorer (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information#artifact-interpretation) Artifact Interpretation --------------------------------------------------------------------------------------------------------------------------------------------------------------- Within the `TimeZoneInformation` registry key, the value name `TimeZoneKeyName` will contain the current system time zone. For examples of what this may look like, execute the command `Get-TimeZone -ListAvailable` in PowerShell and look at the `Id` key. The `Bias` key contains the numer of minutes between UTC and the system's selected time zone, such that `UTC = Local System Time + Bias`. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information#example) Example ------------------------------------------------------------------------------------------------------------------------------- Copy PS> Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\TimeZoneInformation" -Name * Bias : 360 DaylightBias : 4294967236 DaylightName : @tzres.dll,-161 DaylightStart : {0, 0, 3, 0...} StandardBias : 0 StandardName : @tzres.dll,-162 StandardStart : {0, 0, 11, 0...} TimeZoneKeyName : Central Standard Time DynamicDaylightTimeDisabled : 0 ActiveTimeBias : 300 This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # Task Scheduler Files | Windows Forensic Handbook Task Scheduler Files are XML files that provide information regarding scheduled tasks on an endpoint. These files are created when a new task is scheduled on the endpoint. This artifact is similar to and replaces `.job` files on Windows XP, but provides more information. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files#analysis-value) Analysis Value ---------------------------------------------------------------------------------------------------------------------------------------------- [Command Line Options](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/command-line-options) [First Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed) [Last Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/last-executed) [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files#operating-system-availability) Operating System Availability ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files#artifact-location-s) Artifact Location(s) --------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Tasks` for tasks scheduled by 64-bit processes * `%SystemRoot%\SysWOW64\Tasks` for tasks scheduled by 32-bit processes [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files#artifact-interpretation) Artifact Interpretation ---------------------------------------------------------------------------------------------------------------------------------------------------------------- XML Path Interpretation `Task/Registration Info/Date` Date the task was scheduled `Task/Registration Info/Author` Author of the task. Can be local or remote. `Task/Triggers` Triggers for the scheduled task `Task/Actions` Action taken by the scheduled task `Task/Principals` Authentication used for the task during execution [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files#analysis-tips) Analysis Tips -------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files#remote-scheduled-tasks) Remote Scheduled Tasks In the event that a scheduled task was remotely created (an excellent indicator of lateral movement), the `Task/Registration Info/Author` field will provide the originating endpoint. Last updated 2 years ago --- # Event Log Artifacts | Windows Forensic Handbook [Task Scheduler Operational Log](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log) [TerminalServices-RDPClient](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient) [Security](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security) [System](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system) [Microsoft Windows Windows Firewall With Advanced Security](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security) [TerminalServices-LocalSessionManager](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager) [TerminalServices-RemoteConnectionManager](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager) [Microsoft Windows Shell Core](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core) [Microsoft-Windows-PowerShell](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell) Last updated 2 years ago --- # AutomaticDestinations Jumplists | Windows Forensic Handbook AutomaticDestinations are jumplist files created by Windows when an application is launched. As these are jumplist files, they are in a binary format known as Object Linking and Embedding Compound File (OLECF). AutomaticDestinations can be thought of as containers for different LNK files from which forensic evidence may be recovered. Jumplists are used to store common/recent locations and "tasks" on the taskbar for individual programs. From a forensic perspective they are useful in identifying files and folders that were created or accessed by users. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------------------------ [First Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed) [Last Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/last-executed) [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ Major Version Support Major Version Support Windows 11 ✅ Server 2019 ❌ Windows 10 ✅ Server 2016 ❌ Windows 8 ✅ Server 2012 ❌ Windows 7 ✅ Server 2008 ❌ Windows Vista ❌ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#artifact-location-s) Artifact Location(s) ----------------------------------------------------------------------------------------------------------------------------------------------------------- * `%USERPROFILE%\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#artifact-parsers) Artifact Parsers ---------------------------------------------------------------------------------------------------------------------------------------------------- * JLECmd (Eric Zimmerman) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------------------------ The file name for these artifacts are based on the AppID of the program they are related to. For example, an AutomaticDestinations entry for `explorer.exe` will have the prefix `F01B4D95CF55D32A`. Thus, the full file name would be `f01b4d95cf55d32a.automaticDestinations-ms`. A good resource to leverage to translate AppIDs by Eric Zimmerman can be found [here](https://github.com/EricZimmerman/JumpList/blob/master/JumpList/Resources/AppIDs.txt) . ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#execution-first-executed) Execution - First Executed The creation time of each AutomaticDestinations file corresponds to the first known time that an application **opened a file** while being executed. For instance, if a user simply opens Excel, but never opens a file, there will be no AutomaticDestinations file created. If, however, they proceed to open a file (or save a new file), an AutomaticDestinations file will be created with a creation timestamp corresponding to the time the first file was opened (or a new file was saved). ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#execution-last-executed) Execution - Last Executed The modification time of each AutomaticDestinations file corresponds to the last known time that an application was executed **and opened a file**. For instance, the modification timestamp will change under the following example set of circumstances: * A user navigated to a directory using explorer and opened an Excel workbook by double-clicking on it * A user went to Excel on the taskbar and opened an Excel workbook listed under the `Recent` list. * A user opened Excel, and then opened a workbook from within Excel. * A user opened Excel, and saved a new workbook from within Excel. The timestamp will not be updated in the case that a user simply opened Excel without opening another file. ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#execution-permissions-account) Execution - Permissions / Account Given that the AutomaticDestinations files are stored in a user's %AppData% directory, this effectively ties execution of an application to a particular user account. For instance, if the AutomaticDestinations file for Excel exists in the following path: `C:\Users\john.doe\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms`, this implies that the user `john.doe` executed `Microsoft Office Excel x64`. ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#execution-evidence-of-execution) Execution - Evidence of Execution The presence of an AutomaticDestinations file for an application implies that the application was executed and was used to open a file or save a new file. ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations#file-path) File - Path Within each AutomaticDestinations file is a list of recent files that were accessed, as well as a count of how many times each file was accessed using that specific application. Alongside this is the timestamp corresponding to the last known time each file was accessed by the application. For instance, when using JLECmd.exe (Eric Zimmerman) to analyze an AutomaticDestinations file for Excel, the following is seen: Copy Processing C:\Users\john.doe\AppData\Roaming\Microsoft\Windows\Recent\AutomaticDestinations\b8ab77100df80ab2.automaticDestinations-ms --- AppId information --- AppID: b8ab77100df80ab2 Description: Microsoft Office Excel x64 --- DestList entries --- Entry #: 2 MRU: 0 Path: C:\temp\test.xlsx Pinned: False Created on: 2023-06-24 15:53:43 Last modified: 2023-06-24 17:56:09 Hostname: HLPC01 Interaction count: 2 --- Lnk information --- Absolute path: My Computer\C:\temp\test.xlsx This example was produced on Windows 10, Version 10.0.19044 Build 19044 We can conclude: * `Microsoft Office Excel x64` was executed * `C:\temp\test.xlsx` existed at some point on the local disk * The user `john.doe` executed Excel and accessed `C:\temp\test.xlsx` * `C:\temp\test.xlsx` was opened using `Microsoft Office Excel x64` * `C:\temp\test.xlsx` was accessed twice using Excel * The last known time Excel was used to access `C:\temp\test.xlsx` was at `2023-06-24 17:56:09` We can gather more information given the Creation/Modification timestamps of the AutomaticDestinations file `b8ab77100df80ab2.automaticDestinations-ms` itself: * The creation timestamp of the file `b8ab77100df80ab2.automaticDestinations-ms` is `2022-02-12 15:22:00`, indicating that (given the AutomaticDestinations files were not deleted) Excel was first used to access files at `2022-02-12 15:22:00` * The modification timestamp of the file is `2023-06-24 17:56:09`, indicating that this was the last time Excel was used to access a file. As this is the `Last modified` timestamp of the entry for `C:\temp\test.xlsx`, we can conclude this is the last known file that Excel accessed on this system, corroborated by its `MRU` value of 0. As the AutomaticDestinations file is a collection of LNK files, JLECmd offers an additional option to parse these as well through the `--ld` flag. We can get a lot more information this way, for example, accessing a file (`Y:\Documents\new.xlsx`) on a mapped network share (at `192.168.0.20`): Copy Entry #: 3 MRU: 0 Path: Y:\Documents\new.xlsx Pinned: False Created on: 1582-10-15 00:00:00 Last modified: 2023-06-24 18:06:38 Hostname: Mac Address: fc:0c:00:00:00:00 Interaction count: 4 --- Lnk information --- --- Link information --- Flags: CommonNetworkRelativeLinkAndPathSuffix Network share information Device name: Y: Share name: \\192.168.0.20\Documents Provider type: WnncNetLanman Share flags: 3 Common path: Documents\new.xlsx Absolute path: My Computer\Y:\Documents\new.xlsx This example was produced on Windows 10, Version 10.0.19044 Build 19044 In this case, the file was accessed 4 times, and the most recent time it was accessed using Excel was at `2023-06-24 18:06:38`. Last updated 2 years ago --- # TerminalServices-RDPClient | Windows Forensic Handbook [EventID 1024: RDP ClientActiveX is trying to connect to the server](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex) Last updated 2 years ago --- # System | Windows Forensic Handbook [Event ID 7045: Service Installed](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install) Last updated 2 years ago --- # Security | Windows Forensic Handbook [EventID 4688: A new process has been created](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created) [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) Last updated 2 years ago --- # File Activity | Windows Forensic Handbook [File Creation](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/creation) [File Deletion](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/deletion) [Last Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/last-modified) [File Origin](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/origin) [File Size](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/size) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [File Hash](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-hash) Last updated 2 years ago --- # USN Journal | Windows Forensic Handbook The USN Journal is an artifact present on NTFS volumes that functions as the filesystem's journal. This artifact contains high-level records of operations taken on the filesystem. This artifact is present in volume shadow copies which may provide additional historical data. The USN Journal is limited in size and therefore only recent activity will be reflected in this file. Depending on the amount of filesystem activity on a volume this artifact may only provide several days (or even hours) of coverage. A potential workaround to obtain more history from this artifact would be to extract a copy of it from any available Volume Shadow Copies present on the NTFS volume. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------------- [File Creation](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/creation) [File Deletion](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/deletion) [Last Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/last-modified) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [File Size](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/size) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------------- * The USN Journal is present in all NTFS Volumes [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------------ * `$Extend\$UsnJrnl\$J` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal#artifact-parsers) Artifact Parsers ----------------------------------------------------------------------------------------------------------------------------------------- * Velociraptor * jp (TZWorks) * MFTEcmd (Eric Zimmerman) * KAPE can be used to extract [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------------- Below are several common USN Journal events: Event Code Value Description USN\_REASON\_FILE\_CREATE 0x00000100 File or directory has been created USN\_REASON\_FILE\_DELETE 0x00000200 File or directory has been deleted USN\_REASON\_RENAME\_NEW\_NAME 0x00002000 File has been renamed (provides the new name) USN\_REASON\_RENAME\_OLD\_NAME 0x00001000 File has been renamed (provides the old name) USN\_REASON\_STREAM\_CHANGE 0x00200000 An Alternate Data Stream has been added or removed or renamed from a file USN\_REASON\_NAMED\_DATA\_EXTEND 0x00000020 An Alternate Data Stream has been added to USN\_REASON\_DATA\_EXTEND 0x00000002 File modification USN\_REASON\_DATA\_OVERWRITE 0x00000001 File modification USN\_REASON\_DATA\_TRUNCATION 0x00000004 File modification USN\_REASON\_BASIC\_INFO\_CHANGE 0x00008000 File attributes have been modified USN\_REASON\_SECURITY\_CHANGE 0x00000800 File ownership/access writes have been modified ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal#example-file-creation-and-deletion) Example: File Creation and Deletion In this example, we created a file `test.txt`, modified its contents, and then deleted it. The resulting information from the USN Journal is as follows: Timestamp Filename Update Reason 2023-04-26 23:51:09.09 New Text Document.txt FileCreate 2023-04-26 23:51:09.09 New Text Document.txt FileCreate,Close 2023-04-26 23:51:16.16 New Text Document.txt RenameOldName 2023-04-26 23:51:16.16 test.txt RenameNewName 2023-04-26 23:51:16.16 test.txt RenameNewName,Close 2023-04-26 23:51:22.22 test.txt DataExtend 2023-04-26 23:51:22.22 test.txt DataExtend,Close 2023-04-26 23:51:29.29 $I4NTH4K.txt FileCreate 2023-04-26 23:51:29.29 $I4NTH4K.txt DataExtend,FileCreate 2023-04-26 23:51:29.29 $I4NTH4K.txt DataExtend,FileCreate,Close 2023-04-26 23:51:29.29 test.txt RenameOldName 2023-04-26 23:51:29.29 $R4NTH4K.txt RenameNewName 2023-04-26 23:51:29.29 $R4NTH4K.txt RenameNewName,Close 2023-04-26 23:51:29.29 $R4NTH4K.txt SecurityChange 2023-04-26 23:51:29.29 $R4NTH4K.txt SecurityChange,Close In this example, we first see that a new text file is created, called `New Text Document.txt` (`FileCreate`), indicating that it was likely created by right-clicking in Explorer. It is then renamed to `test.txt` (`RenameNewName`). Afterwards, its contents are modified (`DataExtend`). The file is then "deleted," being sent to the recycle bin. This is evidenced by the creation of the `$I` and `$R` files. As expected, the `$R4NTH4K.txt` file should contain the full contents of the deleted file, and we see that Windows simply renames the original file to this. More information on Recycle Bin $I/$R Files: [Recycle Bin $I/$R Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files) This example was produced on Windows 10, Version 10.0.19044 Build 19044 ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal#example-moving-a-file) Example: Moving a File In this example, a file has been moved to a different directory. In this instance, while the filename remains the same, we see that the update reasons `RenameOldName` and `RenameNewName` are present. The parent entry numbers (as well as the parent sequence numbers, not shown in this table) change, indicating that the file has been moved to a different directory. Timestamp Parent Entry Number Filename Update Reason 2023-04-26 23:51:41.41 114291 test2.txt RenameOldName 2023-04-26 23:51:41.41 101882 test2.txt RenameNewName 2023-04-26 23:51:41.41 101882 test2.txt RenameNewName,Close 2023-04-26 23:51:41.41 101882 test2.txt SecurityChange 2023-04-26 23:51:41.41 101882 test2.txt SecurityChange,Close This example was produced on Windows 10, Version 10.0.19044 Build 19044 ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal#example-correlation-with-prefetch) Example: Correlation with Prefetch UpdateTimestamp Name UpdateReasons 2023-04-26 23:51:16.16 New Text Document.txt RenameOldName 2023-04-26 23:51:16.16 test.txt RenameNewName 2023-04-26 23:51:22.22 test.txt DataExtend 2023-04-26 23:51:22.22 test.txt DataExtend,Close 2023-04-26 23:51:23.23 NOTEPAD.EXE-9FB27C0E.pf DataTruncation 2023-04-26 23:51:23.23 NOTEPAD.EXE-9FB27C0E.pf DataExtend,DataTruncation 2023-04-26 23:51:23.23 NOTEPAD.EXE-9FB27C0E.pf DataExtend,DataTruncation,Close In this example, we see that `notepad.exe` was likely executed to edit `text.txt`. This is particularly valuable as the [Prefetch](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch) artifact only stores the last 8 execution timestamps of an application, but it is updated for each execution, meaning the USN Journal may provide additional execution timestamps that have rolled out of the Prefetch file. This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # Microsoft Windows Shell Core | Windows Forensic Handbook [EventID 9707: Command Execution Started](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core) Last updated 2 years ago --- # TerminalServices-RemoteConnectionManager | Windows Forensic Handbook [EventID 1149: User Authentication Succeeded](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149) Last updated 2 years ago --- # Execution Timestamp | Windows Forensic Handbook [Task Scheduler Operational Log](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log) [EventID 9707: Command Execution Started](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core) Last updated 2 years ago --- # File Creation | Windows Forensic Handbook [USN Journal](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal) Last updated 2 years ago --- # TerminalServices-LocalSessionManager | Windows Forensic Handbook [EventID 21: Session logon succeeded](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21) [EventID 24: Session has been disconnected](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24) Last updated 2 years ago --- # File Origin | Windows Forensic Handbook Last updated 2 years ago --- # Microsoft-Windows-PowerShell | Windows Forensic Handbook [EventID 4104: PowerShell Script Block Logging](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell/evtx-4104-script-block-logging) Last updated 2 years ago --- # File Deletion | Windows Forensic Handbook [USN Journal](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal) [Recycle Bin $I/$R Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files) Last updated 2 years ago --- # Recycle Bin $I/$R Files | Windows Forensic Handbook In modern versions of Windows, when a file is deleted, it is sent to the Recycle Bin first. Under the hood this constitutes the creation of two unique files prepended by `$I` and `$R` and appended with the original file's extension such as: * `$RMYY8AS.txt` * `$IMYY8AS.txt` The `$I` file contains information about the deleted file. The `$R` file contains the full contents of that deleted file. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------------------- [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [File Deletion](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/deletion) [File Size](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/size) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------------------ * `C:\$Recycle.Bin\{USER_SID}` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files#artifact-parsers) Artifact Parsers ----------------------------------------------------------------------------------------------------------------------------------------------- * KAPE (Extraction and Parsing) * [RBCmd](https://github.com/EricZimmerman/RBCmd) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------------------- The presence of this artifact indicates that a file was deleted and sent to the recycle bin. The user who deleted the file will have their SID shown as the parent directory for the `$I` and `$R` files, for example: * `C:\$Recycle.Bin\S-1-5-21-3471133136-2963561160-3931775028-1000\$RMYY8AS.txt` * `C:\$Recycle.Bin\S-1-5-21-3471133136-2963561160-3931775028-1000\$IMYY8AS.txt` In this case, `S-1-5-21-3471133136-2963561160-3931775028-1000` is the User SID. The `$R` file contains the full contents of the original deleted file. The `$I` file contains the following data: * Size of the original file * Full path of the original file * Deletion time and date Last updated 2 years ago --- # Windows Error Reporting Files (.WER) | Windows Forensic Handbook Windows Error Reporting is a component of Windows that allows for users to send crash reports to Microsoft. Windows Error Reporting files provide information about the crash and are useful to a forensic analysis to provide evidence of execution. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files#analysis-value) Analysis Value ----------------------------------------------------------------------------------------------------------------------------------- [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files#operating-system-availability) Operating System Availability ----------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files#artifact-location-s) Artifact Location(s) ---------------------------------------------------------------------------------------------------------------------------------------------- * `%ProgramData%\Microsoft\Windows\WER\ReportArchive` * `%ProgramData%\Microsoft\Windows\WER\ReportQueue` * `%UserProfile%\AppData\Local\Microsoft\Windows\WER\ReportArchive` * `%UserProfile%\AppData\Local\Microsoft\Windows\WER\ReportQueue` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files#artifact-interpretation) Artifact Interpretation ----------------------------------------------------------------------------------------------------------------------------------------------------- Within the aforementioned directories, folders containing .WER files may be found. These are created when either: * A user-mode applications crashes `(AppCrash_ ...)` * A user-mode application hangs `(AppHang_ ...)` * A kernel crash occurs `(Kernel_ ...)` For evidence of execution, the AppCrash and AppHang folders are most interesting. The folders contain the application name, for example, `AppHang_Bginfo64.exe_cf919d50e71d613a2bddb1a116ff8eebb4e5c_140e09f3_c2b585e7-ac5d-4cf9-bd79-7b6d4fe6075c`. Each folder represents one instance of an application crashing or hanging, and may contain a variety of files apart from the .WER file, such as minidumps. The .WER files contain information about crash reports that occurred and mirror closely the information represented in the Windows Reliability History control panel page. The .WER file will contain a wealth of information, such as: * The full path to the application that crashed or froze * The modules that the application loaded * Application metadata, such as version, name, etc. * OS metadata such as OS version, architecture, etc. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files#example) Example --------------------------------------------------------------------------------------------------------------------- The following example shows the result of an application, `WinSCP.exe`, experiencing a fault and crashing (it has been reduced to include the most interesting information from this artifact): Note the `EventTime` is a Windows Filetime timestamp. In this example, it translates to `Sat 18 February 2023 05:14:17 UTC`, which corresponds to the creation time of this .WER file. From this we can confirm that the application located at `C:\Program Files (x86)\WinSCP\WinSCP.exe` was executed sometime before it crashed at `2023-02-18T05:14:17.000Z`. Copy Version=1 EventType=APPCRASH EventTime=133211708571634483 NsAppName=WinSCP.exe OriginalFilename=winscp.exe Sig[0].Name=Application Name Sig[0].Value=WinSCP.exe Sig[1].Name=Application Version Sig[1].Value=5.21.5.12858 Sig[2].Name=Application Timestamp Sig[2].Value=00000000 Sig[3].Name=Fault Module Name Sig[3].Value=MSHTML.dll Sig[4].Name=Fault Module Version Sig[4].Value=11.0.19041.2604 Sig[5].Name=Fault Module Timestamp Sig[5].Value=709ac760 Sig[6].Name=Exception Code Sig[6].Value=c0000005 Sig[7].Name=Exception Offset Sig[7].Value=0035c570 DynamicSig[1].Name=OS Version DynamicSig[1].Value=10.0.19044.2.0.0.256.48 UI[2]=C:\Program Files (x86)\WinSCP\WinSCP.exe LoadedModule[0]=C:\Program Files (x86)\WinSCP\WinSCP.exe LoadedModule[1]=C:\Windows\SYSTEM32\ntdll.dll LoadedModule[2]=C:\Windows\System32\KERNEL32.DLL LoadedModule[3]=C:\Windows\System32\KERNELBASE.dll LoadedModule[4]=C:\Windows\System32\WS2_32.DLL LoadedModule[5]=C:\Windows\System32\RPCRT4.dll LoadedModule[6]=C:\Windows\System32\CRYPT32.DLL LoadedModule[7]=C:\Windows\System32\ucrtbase.dll LoadedModule[8]=C:\Windows\System32\SHLWAPI.DLL OsInfo[29].Key=osver OsInfo[29].Value=10.0.19041.2604.amd64fre.vb_release.191206-1406 OsInfo[31].Key=edition OsInfo[31].Value=Professional FriendlyEventName=Stopped working ConsentKey=APPCRASH AppName=WinSCP: SFTP, FTP, WebDAV, S3 and SCP client AppPath=C:\Program Files (x86)\WinSCP\WinSCP.exe ApplicationIdentity=45B3D2BB4FABCE88A748DFBEF7254C79 This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # Last Modified | Windows Forensic Handbook [USN Journal](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal) Last updated 2 years ago --- # File Hash | Windows Forensic Handbook [Amcache.hve](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache) Last updated 2 years ago --- # Browser Activity | Windows Forensic Handbook [History](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity/history) [Bookmarks](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity/bookmarks) [Stored Passwords/Secrets](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity/stored-passwords-secrets) Last updated 2 years ago --- # Execution | Windows Forensic Handbook [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [First Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed) [Last Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/last-executed) [Command Line Options](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/command-line-options) [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) [Execution Timestamp](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-timestamp) Last updated 2 years ago --- # Account Activity | Windows Forensic Handbook [Account Creation Time](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/creation-time) [Group Membership](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/group-membership) [Last Login](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/last-login) [Login History](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/login-history) [Logon ID](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/logon-id) [Relative Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/relative-identifier) [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) Last updated 2 years ago --- # File Size | Windows Forensic Handbook [USN Journal](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal) [Recycle Bin $I/$R Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files) Last updated 2 years ago --- # Account Creation Time | Windows Forensic Handbook Last updated 2 years ago --- # Command Line Options | Windows Forensic Handbook [Task Scheduler Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files) [Task Scheduler Operational Log](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log) [EventID 4688: A new process has been created](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created) [EventID 9707: Command Execution Started](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core) Last updated 2 years ago --- # Last Login | Windows Forensic Handbook Last updated 2 years ago --- # Group Membership | Windows Forensic Handbook Last updated 2 years ago --- # History | Windows Forensic Handbook [Firefox places.sqlite Database](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity/history/firefox-places-sqlite) Last updated 2 years ago --- # First Executed | Windows Forensic Handbook [Prefetch](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch) [AutomaticDestinations Jumplists](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations) [Task Scheduler Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files) [Tracing Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys) [Task Scheduler Operational Log](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log) [EventID 4104: PowerShell Script Block Logging](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell/evtx-4104-script-block-logging) Last updated 2 years ago --- # Microsoft Windows Windows Firewall With Advanced Security | Windows Forensic Handbook [EventID 2004: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall) [EventID 2005: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall) [EventID 2006: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall) [EventID 2071: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2071-firewall-windows-11) [EventID 2073: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11) [EventID 2052: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11) Last updated 2 years ago --- # Relative Identifier | Windows Forensic Handbook Last updated 2 years ago --- # EventID 2071: Firewall Rule Added | Windows Forensic Handbook This event indicates that a new firewall rule has been added to the Windows Firewall. While currently unique to newer versions of Windows 11, it is functionally similar to: [EventID 2004: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall) Last updated 2 years ago --- # Prefetch | Windows Forensic Handbook Windows Prefetch is utilized to improve application performance by pre-loading resources when an application is launched. In addition to providing evidence of execution, the Prefetch artifact provides a list of modules/files that have been accessed by the process in the 10 seconds following spawning. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#analysis-value) Analysis Value ---------------------------------------------------------------------------------------------------------------------------------- [First Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed) [Last Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/last-executed) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#operating-system-availability) Operating System Availability Major Version Support Major Version Support Windows 11 ✅ Server 2019 ⚠️ Windows 10 ✅ Server 2016 ⚠️ Windows 8 ✅ Server 2012 ⚠️ Windows 7 ✅ Server 2008 ⚠️ Windows Vista ✅ Server 2003 ⚠️ Windows XP ✅ Windows Server systems do not have Prefetch enabled by default. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#artifact-location-s) Artifact Location(s) --------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\Prefetch` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#artifact-parsers) Artifact Parsers -------------------------------------------------------------------------------------------------------------------------------------- * PECmd.exe (Eric Zimmerman) * pf.exe (TZWorks) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#artifact-interpretation) Artifact Interpretation ---------------------------------------------------------------------------------------------------------------------------------------------------- The name of the prefetch file takes on the format: `{executable_name}-{hash}.pf`, where `executable_name` is the name of the executable file that was run, and `hash` provides a hash of the executable's path and the command line used to launch the executable. If the same executable was run with different command line options, or the executable was moved and then run again, this essentially means there will be more than one prefetch entry for it. ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#earliest-execution) Earliest Execution The creation timestamp of the prefetch file indicates the **potential** _earliest_ time the executable was run on the system. This is because the amount of prefetch files stored on the system is limited, and older files are rotated out. Regarding the "potential" earliest/first execution: Because Windows only stores the last 128 entries (Windows XP/Vista/7) or 1024 entries (Windows 8/10), applications that haven't been run after some time may be rolled out of this directory, and re-created when they are run again. ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#last-executed) Last Executed The most recent execution is indicated by the modification timestamp of the prefetch file. Additionally, on Windows 8/10, the last 8 execution times are stored within the prefetch file and can be parsed. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#full-path) Full Path ------------------------------------------------------------------------------------------------------------------------ The artifact, when parsed, provides the full path to the executable that was run. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#caveats) Caveats -------------------------------------------------------------------------------------------------------------------- Prefetch files are written approximately 10 seconds after execution. Subtract 10 seconds from the prefetch filesystem timestamps to get an approximate time. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#analysis-tips) Analysis Tips -------------------------------------------------------------------------------------------------------------------------------- #### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#evidence-of-deleted-files) Evidence of Deleted Files Because the Prefetch artifact stores files referenced by a program, it may be used to identify deleted files as they will persist in this artifact. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch#example) Example -------------------------------------------------------------------------------------------------------------------- In the following example, the SysInternals utility `ADExplorer64` was executed from two separate locations, once from the system's disk under `C:\Temp` and once from a connected USB device, resulting in two prefetch files: * `ADEXPLORER64.EXE-9B0EE190.pf` : Executed three times from a connected USB device * `ADEXPLORER64.EXE-67B06AB8.pf` : Executed once on local disk The files when parsed through PECmd, resulted in the following outputs: Copy Processing ADEXPLORER64.EXE-67B06AB8.pf Created on: 2023-05-10 16:29:15 Modified on: 2023-05-10 16:28:35 Last accessed on: 2023-05-10 16:31:26 Executable name: ADEXPLORER64.EXE Hash: 67B06AB8 File size (bytes): 32,418 Version: Windows 10 or Windows 11 Run count: 1 Last run: 2023-05-10 16:28:32 Volume information: #0: Name: \VOLUME{01d8e97614061ec7-7c141bd8} Serial: 7C141BD8 Created: 2022-10-26 20:03:55 Directories: 9 File references: 58 Directories referenced: 9 00: \VOLUME{01d8e97614061ec7-7c141bd8}\TEMP (Keyword True) 01: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS 02: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\APPPATCH 03: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\FONTS 04: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\GLOBALIZATION 05: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\GLOBALIZATION\SORTING 06: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32 07: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\EN-US 08: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.19041.1110_NONE_60B5254171F9507E Files referenced: 49 00: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\NTDLL.DLL 01: \VOLUME{01d8e97614061ec7-7c141bd8}\TEMP\ADEXPLORER64.EXE (Executable: True) 02: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\KERNEL32.DLL 03: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\KERNELBASE.DLL 04: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\LOCALE.NLS 05: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\APPHELP.DLL 06: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\APPPATCH\SYSMAIN.SDB 07: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\RPCRT4.DLL 08: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\USER32.DLL ... In the case where ADExplorer64 was run from a USB device, note the presence of two volume entries. Additionally, since the executable was run three times, there are additional execution timestamps for these events as well! Copy Processing ADEXPLORER64.EXE-9B0EE190.pf Created on: 2023-05-10 16:44:17 Modified on: 2023-05-10 16:43:59 Last accessed on: 2023-05-10 16:44:32 Executable name: ADEXPLORER64.EXE Hash: 9B0EE190 File size (bytes): 32,266 Version: Windows 10 or Windows 11 Run count: 3 Last run: 2023-05-10 16:43:57 Other run times: 2023-05-10 16:43:54, 2023-05-10 16:43:51 Volume information: #0: Name: \VOLUME{0000000000000000-340060b2} Serial: 340060B2 Created: 1601-01-01 00:00:00 Directories: 0 File references: 1 #1: Name: \VOLUME{01d8e97614061ec7-7c141bd8} Serial: 7C141BD8 Created: 2022-10-26 20:03:55 Directories: 7 File references: 52 Directories referenced: 7 00: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS 01: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\FONTS 02: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\GLOBALIZATION 03: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\GLOBALIZATION\SORTING 04: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32 05: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\EN-US 06: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\WINSXS\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.19041.1110_NONE_60B5254171F9507E Files referenced: 48 00: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\NTDLL.DLL 01: \VOLUME{0000000000000000-340060b2}\ADEXPLORER64.EXE (Executable: True) 02: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\KERNEL32.DLL 03: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\KERNELBASE.DLL 04: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\LOCALE.NLS 05: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\RPCRT4.DLL 06: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\USER32.DLL 07: \VOLUME{01d8e97614061ec7-7c141bd8}\WINDOWS\SYSTEM32\NETAPI32.DLL ... Last updated 2 years ago --- # Login History | Windows Forensic Handbook [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) Last updated 2 years ago --- # Stored Passwords/Secrets | Windows Forensic Handbook Last updated 2 years ago --- # EventID 2073: Firewall Rule Modified | Windows Forensic Handbook This event indicates that a Windows Defender Firewall rule has been modified. While currently unique to newer versions of Windows 11, it is functionally similar to: [EventID 2005: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall) Last updated 2 years ago --- # Wireless Activity | Windows Forensic Handbook Last updated 2 years ago --- # EventID 2052: Firewall Rule Deleted | Windows Forensic Handbook This event indicates that a firewall rule has been deleted from the Windows Firewall. While currently unique to newer versions of Windows 11, it is functionally similar to: [EventID 2006: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall) Last updated 2 years ago --- # Last Executed | Windows Forensic Handbook [Prefetch](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch) [Background Activity Montitor](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam) [AutomaticDestinations Jumplists](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations) [Task Scheduler Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files) [Task Scheduler Operational Log](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log) Last updated 2 years ago --- # Logon ID | Windows Forensic Handbook [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) [EventID 4688: A new process has been created](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created) Last updated 2 years ago --- # Bookmarks | Windows Forensic Handbook [Firefox places.sqlite Database](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/browser-activity/history/firefox-places-sqlite) Last updated 2 years ago --- # Destination Identification | Windows Forensic Handbook [EventID 1024: RDP ClientActiveX is trying to connect to the server](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex) Last updated 2 years ago --- # Network Activity | Windows Forensic Handbook [Evidence of Network Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity) [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) [Destination Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/destination-identification) [Transmit Volume](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/transmit-volume) [Firewall Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/firewall-activity) [Wireless Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/wireless-activity) Last updated 2 years ago --- # Event ID 7045: Service Installed | Windows Forensic Handbook This event, logged to the `System` channel, is produced when a new service is installed on the system. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install#analysis-value) Analysis Value --------------------------------------------------------------------------------------------------------------------------------------------------------- [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install#operating-system-availability) Operating System Availability --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install#artifact-location-s) Artifact Location(s) -------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Winevt\Logs\System.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install#artifact-interpretation) Artifact Interpretation --------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Field Interpretation Reference `System/Security/UserID` This field provides the SID of the account that installed the new service. [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) `EventData/ImagePath` This field provides the full path to the executable that will be run when the new service is started. [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) There is no indication from this event alone that it was installed locally on the system itself, and services may be installed remotely leveraging utilities such as `sc.exe`. In the event that the new service was installed remotely, as [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) event may be logged before the new service is installed with a `LogonType` of 3. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install#example) Example ------------------------------------------------------------------------------------------------------------------------------------------- In the following example, the following command was executed on a domain controller: Copy sc.exe \\WKS10-01 create mynewservice binpath= c:\temp\example.exe start= auto displayname= "My new service" This installed a new service on the system WKS10-01, generating the following [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) event: Copy - - 4624 2 0 12544 0 0x8020000000000000 9719 Security WKS10-01.hlab.com - S-1-0-0 - - 0x0 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB0xe4d79 3 NtLmSsp NTLM HLDC01-WS2K19 {00000000-0000-0000-0000-000000000000} - NTLMV2 128 0x0 - 172.16.100.10 49757 %%1833 - - - %%1843 0x0 %%1842 As well as the following [Event ID 7045: Service Installed](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install) event in the `System` channel: Copy - - 7045 0 4 0 0 0x8080000000000000 1033 System WKS10-01.hlab.com - Mynewservice c:\temp\example.exe usermodeservice autostart LocalSystem This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # Transmit Volume | Windows Forensic Handbook [System Resource Usage Monitor (SRUM)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db) Last updated 2 years ago --- # EventID 1024: RDP ClientActiveX is trying to connect to the server | Windows Forensic Handbook This event, logged to the `TerminalServices-RDPClient/Operational` channel, is logged when an RDP session is attempted to a remote endpoint. This event is logged on the **source** endpoint. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [Evidence of Network Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity) [Destination Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/destination-identification) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- This artifact can provide the **destination** IP address (or hostname) of an _attempted_ RDP session. It will also provide the SID of the user who initiated the _attempted_ connection, as well as the ProcessID associated with this activity. This event is logged regardless of success or failure of the RDP session, and must be cross-referenced with other events such as [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) on the destination host. If available, a successful RDP authentication is indicated by the event ID `TerminalServices-RDPClient/Operational/1027: Connected to domain`. To correlate these two Event IDs, compare their `Correlation ActivityID` field values. When the RDP session is ended, either due to a failure to connect, a failure to successfully authenticate, or a manual close of the session, `TerminalServices-RDPClient/Operational/1105: The multi-transport connection has been disconnected` and `TerminalServices-RDPClient/Operational/1026: RDP ClientActiveX has been disconnected` should be logged, and is likewise able to be correlated by its `Correlation ActivityID` field. This allows for determining a time span during which an RDP session was in progress. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex#example) Example ----------------------------------------------------------------------------------------------------------------------------------------------------------- In the following example, the user with SID `S-1-5-21-3471133136-2963561160-3931775028-1001` attempted to RDP to a system at IP address `192.168.116.74`. The connection was not successful, resulting in `TerminalServices-RDPClient/Operational/1026: RDP ClientActiveX has been disconnected` being logged with the same `Correlation ActivityID` value of `{780cf827-0ed1-4f4b-924c-3b14e7660000}`. Copy - - 1024 0 4 101 10 0x4000000000000000 1641 Microsoft-Windows-TerminalServices-RDPClient/Operational HLPC01 - Server Name 192.168.116.74 Info Copy - - 1026 0 4 101 11 0x4000000000000000 1643 Microsoft-Windows-TerminalServices-RDPClient/Operational HLPC01 - Disconnect Reason 1 Info This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # System Enumeration | Windows Forensic Handbook [Select Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/select) [CurrentVersion Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/current-version) [ComputerName Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/computer-name) [Interfaces Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/interfaces) [NetworkCards Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/network-cards) [TimeZoneInformation Registry Key](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/time-zone-information) Last updated 2 years ago --- # Task Scheduler Operational Log | Windows Forensic Handbook The TaskScheduler/Operational event log channel provides detailed tracing of scheduled tasks on an endpoint. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log#analysis-value) Analysis Value ------------------------------------------------------------------------------------------------------------------------------------------------------- [Command Line Options](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/command-line-options) [First Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/first-executed) [Last Executed](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/last-executed) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [Execution Timestamp](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-timestamp) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log#operating-system-availability) Operating System Availability ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ❌ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------------------------------ * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TaskScheduler%4Operational.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log#artifact-interpretation) Artifact Interpretation ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The following event IDs are useful to hunt for persistent implants on an endpoint: Event ID Description Information 106 Scheduled Task Created Origin Account/User 140 Scheduled Task Updated Origin Account/User 141 Scheduled Task Deleted Origin Account/User 200 Scheduled Task Executed Executable file path 201 Scheduled Task Execution Completed Executable file path This activity is also logged in the Security channel with more granular information, as follows: Event ID Description 4698 Scheduled Task Created 4702 Scheduled Task Updated 4699 Scheduled Task Deleted [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log#caveats) Caveats ----------------------------------------------------------------------------------------------------------------------------------------- Logging for these events is disabled by default and must be enabled to provide these artifacts. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log#analysis-tips) Analysis Tips ----------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log#deleted-scheduled-tasks) Deleted Scheduled Tasks Scheduled task deletion is a rare event on Windows systems and provides an easy to query, high-fidelity indicator of suspicious activity. The following event IDs may be queried: * `Windows-TaskScheduler\Operational Event 141: Scheduled Task Deleted` * `Security Event 4699: Scheduled Task Deleted` ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log#software-installation-uninstallation) Software Installation/Uninstallation When applications are installed on a Windows system, they will sometimes create a scheduled task to run their update functionality, making the Task Scheduler Operational log a possible option for cross-validation of other application installation artifacts such as the `Uninstall` registry key. ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log#lateral-movement-through-remote-scheduled-task-installation) Lateral Movement through Remote Scheduled Task Installation In the event that tasks are remotely scheduled, as is commonly seen during lateral movement attempts, this activity may be identified by observing Type 3 logons via [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) events in close proximity to task creation. Last updated 2 years ago --- # Parent and Child Information | Windows Forensic Handbook [EventID 4688: A new process has been created](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created) [EventID 1024: RDP ClientActiveX is trying to connect to the server](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex) [EventID 2004: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall) [EventID 2005: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall) [EventID 2006: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall) [EventID 2071: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2071-firewall-windows-11) [EventID 2073: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11) [EventID 2052: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11) [EventID 9707: Command Execution Started](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core) [EventID 4104: PowerShell Script Block Logging](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell/evtx-4104-script-block-logging) Last updated 2 years ago --- # EventID 24: Session has been disconnected | Windows Forensic Handbook This event, logged to the `Microsoft-Windows-TerminalServices-LocalSessionManager/Operational` channel, is logged when an RDP connection is terminated. This event is logged on the **destination** endpoint. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24#analysis-value) Analysis Value ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) [Evidence of Network Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity) [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24#operating-system-availability) Operating System Availability ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24#artifact-location-s) Artifact Location(s) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24#artifact-interpretation) Artifact Interpretation ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Field Interpretation Reference `UserData/EventXML/User` This field logs only the username and domain that the RDP connection had. [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) `UserData/EventXML/Address` This field provides the **source** IP address of an RDP session. [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) `UserData/EventXML/SessionID` This field provides the Session ID, which can be used to correlate between other events in the same log provider. `System/Correlation ActivityID` Provides the ActivityID for the RDP session. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24#analysis-tips) Analysis Tips -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24#correlation-by-activityid) Correlation by ActivityID This event logs an ActivityID, available in the XML path `System/Correlation ActivityID`. This may be used to correlate activity between other events logged that are related to this activity, such as: [EventID 1149: User Authentication Succeeded](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149) ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24#rdp-activity-timeline) RDP Activity Timeline Together with [EventID 21: Session logon succeeded](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21) , by correlating the `SessionID` field of both events, one can determine the start and end time of an RDP session. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24#example) Example -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Copy - - 24 0 4 0 0 0x1000000000000000 1544 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational HLPC01 - - HLPC01\john.doe 4
192.168.180.57
This example was produced on Windows 10, Version 10.0.19044 Build 19044 - 4104 1 5 2 15 0x0 194 Microsoft-Windows-PowerShell/Operational DESKTOP-TUMSOE7 - 1 1 Invoke-WebRequest -Uri "https://example.com" -OutFile "C:\Temp\test.exe" 808e4d85-977e-4418-9218-59dd2aa1b0ef This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # EventID 1149: User Authentication Succeeded | Windows Forensic Handbook This event, logged to the `Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational` channel, is logged when an RDP connection is established. Despite its name, this event does not indicate a successfully authenticated RDP session has taken place, only that the channel has been established for an RDP attempt to be made. This event is logged on the **destination** endpoint. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149#analysis-value) Analysis Value ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) [Evidence of Network Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity) [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149#operating-system-availability) Operating System Availability ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149#artifact-location-s) Artifact Location(s) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-RemoteConnectionManager%4Operational.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149#artifact-interpretation) Artifact Interpretation ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Field Interpretation Reference `UserData/EventXML/Param1` This field logs only the username and domain for the RDP session. [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) `UserData/EventXML/Param3` This field provides the **source** IP address of an RDP session. [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) `System/Correlation ActivityID` Provides the ActivityID for the RDP session. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149#analysis-tips) Analysis Tips --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149#correlation-by-activityid) Correlation by ActivityID This event logs an ActivityID, available in the XML path `System/Correlation ActivityID`. This may be used to correlate activity between other events logged that are related to this activity, such as: [EventID 21: Session logon succeeded](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21) [EventID 24: Session has been disconnected](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24) This event is logged regardless of success or failure of the RDP session, and must be cross-referenced with other events such as: [EventID 21: Session logon succeeded](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21) [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149#example) Example --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Copy - - 1149 0 4 0 0 0x1000000000000000 241 Microsoft-Windows-TerminalServices-RemoteConnectionManager/Operational HLPC01 - - john.doe 192.168.180.57 This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # EventID 9707: Command Execution Started | Windows Forensic Handbook This event indicates that a logon task defined in [Run/RunOnce Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce) has executed. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core#analysis-value) Analysis Value -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [Command Line Options](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/command-line-options) [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [Execution Timestamp](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-timestamp) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core#operating-system-availability) Operating System Availability -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core#artifact-location-s) Artifact Location(s) ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core#artifact-interpretation) Artifact Interpretation -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Field Interpretation Reference `System/Security/UserID` This field provides the SID of the account that the logon task executed under. [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) `EventData/Command` This field shows the full command line options of the task that was run. [Command Line Options](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/command-line-options) `System/Execution/ProcessID` This field provides the process ID that the task ran with. [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) `System/Execution/ThreadID` This field provides the thread ID that the task ran with. [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) The timestamp of the event indicates the time at which the task was executed. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core#example) Example ------------------------------------------------------------------------------------------------------------------------------------------------------------ On an example system, the following registry key exists: Copy Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\exampletask Value: "C:\Temp\example.exe" -silent During a user logon, the following `Microsoft-Windows-Shell-Core/Operational/9707` event is logged: Copy - - 9707 0 4 9707 1 0x2000000004010000 21933 Microsoft-Windows-Shell-Core/Operational HLPC01 - example.exe" -silent This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # Execution Account | Windows Forensic Handbook [Background Activity Montitor](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam) [System Resource Usage Monitor (SRUM)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db) [AutomaticDestinations Jumplists](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations) [Task Scheduler Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files) [EventID 4688: A new process has been created](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created) [EventID 2004: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall) [EventID 2005: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall) [EventID 2006: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall) [EventID 2071: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2071-firewall-windows-11) [EventID 2073: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11) [EventID 2052: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11) [EventID 9707: Command Execution Started](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core) Last updated 2 years ago --- # EventID 21: Session logon succeeded | Windows Forensic Handbook This event, logged to the `Microsoft-Windows-TerminalServices-LocalSessionManager/Operational` channel, is logged when an RDP connection is successfully authenticated. This event is logged on the **destination** endpoint. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21#analysis-value) Analysis Value ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) [Evidence of Network Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity) [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21#operating-system-availability) Operating System Availability ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ✅ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21#artifact-location-s) Artifact Location(s) --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21#artifact-interpretation) Artifact Interpretation ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Field Interpretation Reference `UserData/EventXML/User` This field logs only the username and domain that the RDP connection was attempting to establish a session for. [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) `UserData/EventXML/Address` This field provides the **source** IP address of an RDP session. [Source Identification](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/source-identification) `UserData/EventXML/SessionID` This field provides the Session ID, which can be used to correlate between other events in the same log provider. `System/Correlation ActivityID` Provides the ActivityID for the RDP session. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21#analysis-tips) Analysis Tips -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21#correlation-by-activityid) Correlation by ActivityID This event logs an ActivityID, available in the XML path `System/Correlation ActivityID`. This may be used to correlate activity between other events logged that are related to this activity, such as: [EventID 1149: User Authentication Succeeded](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-remoteconnectionmanager/terminal-services-remote-1149) ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21#rdp-activity-timeline) RDP Activity Timeline Together with [EventID 24: Session has been disconnected](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-24) , by correlating the `SessionID` field of both events, one can determine the start and end time of an RDP session. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-localsessionmanager/terminal-services-local-21#example) Example -------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Copy - - 21 0 4 0 0 0x1000000000000000 1520 Microsoft-Windows-TerminalServices-LocalSessionManager/Operational HLPC01 - - HLPC01\john.doe 4
192.168.180.57
This example was produced on Windows 10, Version 10.0.19044 Build 19044 - S-1-5-18 HLPC01$ WORKGROUP 0x3e7 S-1-5-21-3471133136-2963561160-3931775028-1001 user HLPC01 0x34358d 2 User32 Negotiate HLPC01 {00000000-0000-0000-0000-000000000000} - - 0 0x7e4 C:\Windows\System32\svchost.exe 127.0.0.1 0 %%1833 - - - %%1843 0x3435b7 %%1842 This example was produced on Windows 10, Version 10.0.19044 Build 19044 In situations when cached credentials were used to authenticate a session, the physical logon might look like this: Field Value EventData/LogonType 11 EventData/ProcessName C:\\Windows\\System32\\svchost.exe EventData/IpAddress 127.0.0.1 Copy - - S-1-5-18 WKS10-01$ HLAB 0x3e7 S-1-5-21-3829912423-625253200-3062624365-1107 ablaser HLAB 0x4d742 11 User32 Negotiate WKS10-01 {00000000-0000-0000-0000-000000000000} - - 0 0x6ec C:\Windows\System32\svchost.exe 127.0.0.1 0 %%1833 - - - %%1843 0x0 %%1843 This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044 ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon#runas-activity) RunAs Activity `RunAs` is a command-line utility used to execute programs with different permissions. Using `RunAs` to perform this action will also result in a type 2 logon. In the following example, take note of the `EventData/SubjectUserName` field, which indicated what user executed `RunAs`. The `EventData/TargetUserName` field contains the account name whose credentials were used. In addition, the `EventData/SubjectLogonId` is the same as the `EventData/TargetLogonId` in the previous example of cached credential authentication. This indicates that `HLAB\ablaser` authenticated to the system, and then used `RunAs` to run a command as `HLAB\mvanburanadm`. Copy - - S-1-5-21-3829912423-625253200-3062624365-1107 ablaser HLAB 0x4d742 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB 0xc0cd5 2 seclogo Negotiate WKS10-01 {22acd001-6c49-8d9e-8c4f-c1fd908d1c0e} - - 0 0x2108 C:\Windows\System32\svchost.exe ::1 0 %%1833 - - - %%1843 0xc0f24 %%1842 This example was produced on Windows 10 Pro, Version 10.0.19044 Build 19044 ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon#remote-desktop-logons) Remote Desktop Logons The appearance of Remote Desktop activity from this artifact depends on several factors: * For new RDP logons, a type 10 logon event is logged * For pre-existing logons, a type 7 logon event is logged * Assuming Network Level Authentication (NLA) is required on the system for RDP, there will be a type 3 logon event preceeding either the type 7 or type 10 event For example, an RDP session from another system on the local network (172.16.200.2), with NLA enabled, and with a previous RDP session that was not formally logged out would create the following two events: Type 3 Logon Event Copy - - S-1-0-0 - - 0x0 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB 0x4f5277 3 NtLmSsp NTLM HLNAS01-WS2K19 {00000000-0000-0000-0000-000000000000} - NTLM V2 128 0x0 - 172.16.200.2 0 %%1833 - - - %%1843 0x0 %%1842 Type 7 Logon Event (Unlocked) Copy - - S-1-5-18 WKS10-01$ HLAB 0x3e7 S-1-5-21-3829912423-625253200-3062624365-1105 mvanburanadm HLAB 0x4fbf34 7 User32 Negotiate WKS10-01 {00000000-0000-0000-0000-000000000000} - - 0 0x6ec C:\Windows\System32\svchost.exe 172.16.200.2 0 %%1833 - - - %%1843 0x4fbf85 %%1842 This example was produced on Windows Server 2019 Standard, Version 10.0.17763 Build 17763 If there was not a previous and still active RDP connection, the Type 7 Logon event would have instead been logged as a Type 10 Logon event. ### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon#file-server-access) File Server Access In the event that a remote system authenticates to a file server to access file shares, the resulting Logon event will be of Type 3, with the IP address of the authenticating system in the `EventData\IpAddress` field. This can be useful for auditing potential file access on network shares. Last updated 2 years ago --- # EventID 2006: Firewall Rule Deleted | Windows Forensic Handbook This event indicates that a firewall rule has been deleted. In recent builds of Windows 11, this event has been replaced by a new Event ID: [EventID 2052: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall#analysis-value) Analysis Value ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [Firewall Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/firewall-activity) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall#operating-system-availability) Operating System Availability ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ⚠️ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall#artifact-location-s) Artifact Location(s) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall#artifact-interpretation) Artifact Interpretation ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Field Interpretation Reference `System/Security/UserID` Provides the Security Identifier (SID) of the account that deleted the firewall rule. [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) `EventData/ModifyingUser` Provides the Security Identifier (SID) of the account that deleted the firewall rule. [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) `EventData/ModifyingApplication` Provides the full image path of the process that deleted the firewall rule. [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) `System/Execution/ProcessID` Provides the Process ID of the application that deleted the firewall rule. [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) `System/Execution/ThreadID` Provides the Thread ID of the application that deleted the firewall rule. [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) The presence of this event indicates that the system's firewall was modified by deleting a rule. This may be indicative of attacker activity. There are many legitimate processes such as `svchost.exe` that will be observed modifying the Windows Firewall, so this event should be correlated with others to determine if the activity is legitimate or not. The following additional fields are available in this event: XML Path Interpretation `EventData/RuleId` The GUID of the deleted firewall rule `EventData/RuleName` The name for the deleted firewall rule as it appeared in the Windows Firewall [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall#example-windows-10) Example - Windows 10 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- On an example system, an existing Windows Firewall rule was deleted from within the Windows Defender Firewall with Advanced Security control panel, causing the following event to be logged: Copy - - 2006 0 4 0 0 0x8000020000000000 6669 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall HLPC01 - {8736B31E-8792-452E-8D2D-C45621F236AF} Open SSH Port 22 S-1-5-21-3471133136-2963561160-3931775028-1001 C:\Windows\System32\mmc.exe This example was produced on Windows 10, Version 10.0.19044 Build 19044 [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall#example-windows-11) Example - Windows 11 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The same activity, when reproduced on a Windows 11 system, results in the following event being logged: Copy - - 2052 0 4 0 0 0x8000020000000000 552 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall W11 - {0D458E97-4EC5-4C5C-A5A4-F9F73E769168} Open SSH Port 22 S-1-5-21-937911350-1118943250-2293061635-1001 C:\Windows\System32\mmc.exe 0 This example was produced on Windows 11, Version 10.0.22621 Build 22621 Last updated 2 years ago --- # EventID 4688: A new process has been created | Windows Forensic Handbook This event, logged to the `Security` channel, indicates a process was created on the system. This event requires the `Audit Process Creation` policy to be configured, which is by default not configured. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#analysis-value) Analysis Value ----------------------------------------------------------------------------------------------------------------------------------------------------------- [Logon ID](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/logon-id) [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [Command Line Options](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/command-line-options) [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [Execution Timestamp](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-timestamp) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#operating-system-availability) Operating System Availability ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ⚠️ Server 2019 ⚠️ Windows 10 ⚠️ Server 2016 ⚠️ Windows 8 ⚠️ Server 2012 ⚠️ Windows 7 ⚠️ Server 2008 ⚠️ Windows Vista ⚠️ Server 2003 ⚠️ Windows XP ⚠️ In Windows XP/Windows Server 2003, the corresponding Event ID is `592`. For the events to contain the full command line for each logged process, an additional policy called `Include command line in process creation events` must also be configured. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#artifact-location-s) Artifact Location(s) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Winevt\Logs\Security.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#artifact-interpretation) Artifact Interpretation ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Field Interpretation Reference `EventData/SubjectLogonId` Provides the LogonID of the account that spawned the new process [Logon ID](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/logon-id) `EventData/NewProcessName` Provides the full path of the application that was spawned [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) `EventData/CommandLine` The command line that spawned the new process [Command Line Options](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/command-line-options) `EventData/SubjectUserSid` The SID of the account that spawned the process [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) `EventData/SubjectUserName` The username of the account that spawned the new process [Username](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/username) `EventData/SubjectDomainName` The domain name of the account that spawned the new process, if it exists. If the user is not a domain user, this field will be `-` `EventData/TokenElevationType` The token elevation type, related to UAC (see [Analysis Tips](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#analysis-tips) ) EventData/`NewProcessID` The process ID of the newly spawned process [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) EventData/`ProcessID` The process ID of the parent process [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#analysis-tips) Analysis Tips --------------------------------------------------------------------------------------------------------------------------------------------------------- #### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#tokenelevationtype-and-uac) TokenElevationType and UAC The `EventData\TokenElevationType` field relates to UAC. The following interpretations are made possible by this field: * `%%1936` indicates that UAC is disabled on the system, or that the local administrator account launched the process. * `%%1937` indicates that the user manually ran the process as an administrator, or that the program requested administrative privileges upon execution. * `%%1938` indicates that the process did not run with administrator privileges. In the event that UAC was used to elevate permissions in order to execute an application, this information will be stored in the `Target` fields instead. #### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#command-line-options) Command Line Options In the event that Process Tracking is enabled (defaults to disabled), the full command line will be available in the `Process Command Line` field. In order for this to be available, the system's policy must be enabled under `Computer Configuration/Administrative Templates/System/Audit Process Creation/Include command line in process creation events`. #### [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#process-tree) Process Tree The `ProcessID` and New`ProcessID` fields may be used to create a timeline of processes. [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created#examples) Examples ----------------------------------------------------------------------------------------------------------------------------------------------- In the following example, `notepad.exe` was launched by a user through Explorer. Copy - - 4688 2 0 13312 0 0x8020000000000000 16044222 Security HLPC01 - S-1-5-21-3471133136-2963561160-3931775028-1001 john.doe HLPC01 0xd91ae 0x5194 C:\Windows\System32\notepad.exe %%1938 0x25d0 "C:\Windows\system32\notepad.exe" S-1-0-0 - - 0x0 C:\Windows\explorer.exe S-1-16-8192 This example was produced on Windows 10, Version 10.0.19044 Build 19044 In the following example, `regedit.exe` was launched by a user through the command line. Note the `TokenElevationType` has a value of `%%1937`, indicating they were likely prompted for administrative credentials/permissions. This also causes the user information to be stored in the `Target` fields, as opposed to the `Subject` fields as seen in the previous example. Copy - - 4688 2 0 13312 0 0x8020000000000000 16044760 Security HLPC01 - S-1-5-18 HLPC01$ WORKGROUP 0x3e7 0x4c7c C:\Windows\regedit.exe %%1937 0x4e24 "C:\Windows\regedit.exe" S-1-5-21-3471133136-2963561160-3931775028-1001 john.doe HLPC01 0xd9173 C:\Windows\System32\cmd.exe S-1-16-12288 This example was produced on Windows 10, Version 10.0.19044 Build 19044 Last updated 2 years ago --- # Evidence of Execution | Windows Forensic Handbook [Prefetch](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch) [Amcache.hve](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache) [System Resource Usage Monitor (SRUM)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db) [Background Activity Montitor](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam) [AutomaticDestinations Jumplists](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations) [Task Scheduler Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files) [Task Scheduler Operational Log](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log) [Windows Error Reporting Files (.WER)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files) [Tracing Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys) [EventID 4688: A new process has been created](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created) [EventID 2004: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall) [EventID 2005: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall) [EventID 2006: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall) [EventID 2071: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2071-firewall-windows-11) [EventID 2073: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11) [EventID 2052: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11) [EventID 9707: Command Execution Started](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core) [EventID 4104: PowerShell Script Block Logging](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-powershell/evtx-4104-script-block-logging) Last updated 2 years ago --- # EventID 2005: Firewall Rule Modified | Windows Forensic Handbook This event indicates that a firewall rule has been modified. The contents of this event will contain the new parameters of the firewall rule. In recent builds of Windows 11, this event has been replaced by a new Event ID: [EventID 2073: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall#analysis-value) Analysis Value ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [Firewall Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/firewall-activity) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall#operating-system-availability) Operating System Availability ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ⚠️ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall#artifact-location-s) Artifact Location(s) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall#artifact-interpretation) Artifact Interpretation ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Field Interpretation Reference `System/Security/UserID` Provides the Security Identifier (SID) of the account that modified the firewall rule. [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) `EventData/ModifyingUser` Provides the Security Identifier (SID) of the account that modified the firewall rule. [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) `EventData/ModifyingApplication` Provides the full image path of the process that modified the firewall rule. [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) `System/Execution/ProcessID` Provides the Process ID of the application that modified the firewall rule. [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) `System/Execution/ThreadID` Provides the Thread ID of the application that modified the firewall rule. [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) The presence of this event indicates that the system's firewall was modified by editing a rule. This may be indicative of attacker activity. There are many legitimate processes such as `svchost.exe` that will be observed modifying the Windows Firewall, so this event should be correlated with others to determine if the activity is legitimate or not. The following additional fields are available in this event: XML Path Interpretation `EventData/RuleId` A GUID for the firewall rule `EventData/RuleName` The name for the firewall rule as it appears in the Windows Firewall `EventData/Direction` 1 for inbound rules and 2 for outbound rules `EventData/Profiles` What profiles (Private/Domain/Public) this rule applies to. `EventData/Active` 0 for disabled rules and 1 for enabled rules `EventData/Action` 3 for allow and 2 for block `EventData/SecurityOptions` 0 for none and 1 for require authentication `EventData/ApplicationPath` If the rule applies only to a specific application it will be listed here `EventData/ServiceName` If the rule applies only to a specific service it will be listed here [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall#example-windows-10) Example - Windows 10 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- On an example system, an existing Windows Firewall rule was modified from within the Windows Defender Firewall with Advanced Security control panel, causing the following event to be logged: Copy - - 2005 0 4 0 0 0x8000020000000000 6668 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall HLPC01 - {8736B31E-8792-452E-8D2D-C45621F236AF} Open SSH Port 22 1 1 6 22 * 2 2147483647 * * 0 0 0 0 0 S-1-5-21-3471133136-2963561160-3931775028-1001 C:\Windows\System32\mmc.exe 542 65536 0 This example was produced on Windows 10, Version 10.0.19044 Build 19044 [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall#example-windows-11) Example - Windows 11 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- On an example system, an existing Windows Firewall rule was modified from within the Windows Defender Firewall with Advanced Security control panel, causing the following event to be logged: Copy - - 2073 0 4 0 0 0x8000020000000000 550 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall W11 - {0D458E97-4EC5-4C5C-A5A4-F9F73E769168} Open SSH Port 22 1 1 6 22 * 3 2147483647 * * 0 0 0 0 0 S-1-5-21-937911350-1118943250-2293061635-1001 C:\Windows\System32\mmc.exe 544 65536 0 0 This example was produced on Windows 11, Version 10.0.22621 Build 22621 Last updated 2 years ago --- # EventID 2004: Firewall Rule Added | Windows Forensic Handbook This event indicates that a new firewall rule has been added to the Windows Firewall. In recent builds of Windows 11, this event has been replaced by a new Event ID: [EventID 2071: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2071-firewall-windows-11) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall#analysis-value) Analysis Value ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) [Execution Account](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/execution-account) [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) [Evidence of Execution](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/evidence-of-execution) [Firewall Activity](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/network-activity/firewall-activity) [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall#operating-system-availability) Operating System Availability ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Major Version Support Major Version Support Windows 11 ⚠️ Server 2019 ✅ Windows 10 ✅ Server 2016 ✅ Windows 8 ✅ Server 2012 ✅ Windows 7 ✅ Server 2008 ✅ Windows Vista ✅ Server 2003 ❌ Windows XP ❌ [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall#artifact-location-s) Artifact Location(s) ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- * `%SystemRoot%\System32\Winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx` [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall#artifact-interpretation) Artifact Interpretation ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- Field Interpretation Reference `System/Security/UserID` Provides the Security Identifier (SID) of the account that added the new firewall rule. [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) `EventData/ModifyingUser` Provides the Security Identifier (SID) of the account that added the new firewall rule. [Security Identifier](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/account-activity/security-identifier) `EventData/ModifyingApplication` Provides the full image path of the process that added the new firewall rule. [File Path](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/file-activity/file-path) `System/Execution/ProcessID` Provides the Process ID of the application that created the new firewall rule. [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) `System/Execution/ThreadID` Provides the Thread ID of the application that created the new firewall rule. [Parent and Child Information](https://psmths.gitbook.io/windows-forensics/artifacts-by-activity/execution/parent-and-child-information) The presence of this event indicates that the system's firewall was modified by adding a new rule. This may be indicative of attacker activity. There are many legitimate processes such as `svchost.exe` that will be observed modifying the Windows Firewall, so this event should be correlated with others to determine if the activity is legitimate or not. The following additional fields are available in this event: XML Path Interpretation `EventData/RuleId` A GUID for the new firewall rule `EventData/RuleName` The name for the firewall rule as it appears in the Windows Firewall `EventData/Direction` 1 for inbound rules and 2 for outbound rules `EventData/Profiles` What profiles (Private/Domain/Public) this rule applies to. `EventData/Active` 0 for disabled rules and 1 for enabled rules `EventData/Action` 3 for allow and 2 for block `EventData/SecurityOptions` 0 for none and 1 for require authentication `EventData/ApplicationPath` If the rule applies only to a specific application it will be listed here `EventData/ServiceName` If the rule applies only to a specific service it will be listed here [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall#example-windows-10) Example - Windows 10 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- On an example system, a new Windows Firewall rule was added from the command line, causing the following event to be logged: Copy - - 2004 0 4 0 0 0x8000020000000000 6661 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall HLPC01 - {8736B31E-8792-452E-8D2D-C45621F236AF} Open SSH Port 22 1 1 6 22 * 3 2147483647 * * 1 1 0 0 0 S-1-5-21-3471133136-2963561160-3931775028-1001 C:\Windows\System32\netsh.exe 542 65536 0 This example was produced on Windows 10, Version 10.0.19044 Build 19044 The following command was executed to create the new firewall rule: Copy netsh advfirewall firewall add rule name="Open SSH Port 22" dir=in action=allow protocol=TCP localport=22 remoteip=any [](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall#example-windows-11) Example - Windows 11 --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- The same command, when executed on a Windows 11 system, results in the following event being logged: Copy - - 2071 0 4 0 0 0x8000020000000000 545 Microsoft-Windows-Windows Firewall With Advanced Security/Firewall W11 - {0D458E97-4EC5-4C5C-A5A4-F9F73E769168} Open SSH Port 22 1 1 6 22 * 3 2147483647 * * 1 1 0 0 0 S-1-5-21-937911350-1118943250-2293061635-1001 C:\Windows\System32\netsh.exe 544 65536 0 0 This example was produced on Windows 11, Version 10.0.22621 Build 22621 Last updated 2 years ago --- # Security Identifier | Windows Forensic Handbook [Background Activity Montitor](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam) [System Resource Usage Monitor (SRUM)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db) [Recycle Bin $I/$R Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files) [EventID 4688: A new process has been created](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4688-process-created) [EventID 4624: An account was successfully logged on](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/security/evtx-4624-successful-logon) [Event ID 7045: Service Installed](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install) [EventID 1024: RDP ClientActiveX is trying to connect to the server](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/terminalservices-rdpclient/evtx-1024-rdp-activex) [EventID 2004: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall) [EventID 2005: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall) [EventID 2006: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall) [EventID 2071: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2071-firewall-windows-11) [EventID 2073: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11) [EventID 2052: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11) [EventID 9707: Command Execution Started](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-shell-core/evtx-9707-shell-core) Last updated 2 years ago --- # File Path | Windows Forensic Handbook [USN Journal](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/usn-journal) [Prefetch](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch) [Amcache.hve](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/amcache) [Background Activity Montitor](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam) [System Resource Usage Monitor (SRUM)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/srum-db) [AutomaticDestinations Jumplists](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/automatic-destinations) [Recycle Bin $I/$R Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/recycle-bin-files) [Image File Execution Options Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/image-file-execution-options) [Task Scheduler Files](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/task-scheduler-files) [Windows Error Reporting Files (.WER)](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/wer-files) [Run/RunOnce Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/reg-run-runonce) [Services Registry Keys](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/registry-services) [Task Scheduler Operational Log](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/task-scheduler-operational-log) [Event ID 7045: Service Installed](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/system/evtx-7045-service-install) [EventID 2004: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2004-firewall) [EventID 2005: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2005-firewall) [EventID 2006: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2006-firewall) [EventID 2071: Firewall Rule Added](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2071-firewall-windows-11) [EventID 2073: Firewall Rule Modified](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2073-firewall-windows-11) [EventID 2052: Firewall Rule Deleted](https://psmths.gitbook.io/windows-forensics/artifacts-by-type/event-log-artifacts/microsoft-windows-windows-firewall-with-advanced-security/evtx-2052-firewall-windows-11) Last updated 2 years ago ---