BAM

background activity monitor

Windows Baackground Activity Moderator (BAM)

Background Activity MontitorWindows Forensic Handbook

What Is BAM?

Background Activity Moderator is a Windows service that controls activity of background applications. The service was first introduced on Windows 10, specifically, after the Fall Creators Update (version 1709).

Forensic Value:

• Date - Time and date the executable was ran.

• Date Description - Detailed explanation of the Date attribute.

• Program - Executable that was ran. This attribute contains the path of the executable.

• Description - Detailed description of the executable.

• Source - Source of the artifact.

File Location:

Offline System

Newer Windows 10 Systems

• File: %SystemRoot%\System32\config\SYSTEM

• BAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\state\UserSettings\{USER_SID}

• DAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\state\UserSettings\{USER_SID}

Older Windows 10 Systems

• File: %SystemRoot%\System32\config\SYSTEM

• BAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\UserSettings\{USER_SID}

• DAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\UserSettings\{USER_SID}

Live System

Newer Windows 10 Systems

• BAM: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings\{USER_SID}

• DAM: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\state\UserSettings\{USER_SID}

Older Windows 10 Systems

• BAM: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{USER_SID}

• DAM: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\UserSettings\{USER_SID}

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	❌
Windows 10	⚠️	Server 2016	❌
Windows 8	❌	Server 2012	❌
Windows 7	❌	Server 2008	❌
Windows Vista	❌	Server 2003	❌
Windows XP	❌

Parse Data

• RegistryExplorer (Eric Zimmerman)

Considerations

• Each user specific executable is stored under the corresponding SID entry.

• BAM entries are only populated for locally run executables. Launching executables on network shares or removable media will not generate BAM entries.

• Console applications that are launched through a command line interface will not have BAM/DAM entries.

• BAM entries are removed if an executable is removed from its original location; and entries older than 7 days are removed when Windows boots.

• Entries are deleted upon reboot if the executable is deleted.

The Execution Time as seen in RegistryExplorer represents the most recent time of execution for the binary in UTC. The Program field represents the full path the the binary.

Based on testing, this execution time is written upon process creation, and again on termination.

Example: Execution Timestamp

• Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-3471133136-2963561160-3931775028-1001

• Key: \Device\HarddiskVolume4\Program Files\PuTTY\putty.exe

• Type: REG_BINARY

• Value: 60-9F-62-A8-FB-6C-D9-01-00-00-00-00-00-00-00-00-00-00-00-00-02-00-00-00

The 64-Bit FILETIME timestamp 60-9F-62-A8-FB-6C-D9-01 resolves to Wed 12 April 2023 05:00:10 UTC, which is the last known execution of the binary putty.exe.

This example was produced on Windows 10, Version 10.0.19044 Build 19044

CyberChef Recipe

Used to convert timestamps to human readable format.

[
  { "op": "From Hex",
    "args": ["Auto"] },
  { "op": "To Hex",
    "args": ["None", 0] },
  { "op": "Windows Filetime to UNIX Timestamp",
    "args": ["Milliseconds (ms)", "Hex (little endian)"] },
  { "op": "From UNIX Timestamp",
    "args": ["Milliseconds (ms)"] }
]

Anti-Forensics

• Delete registry