BAM
background activity monitor
Last updated
background activity monitor
Last updated
Background Activity Moderator is a Windows service that controls activity of background applications. The service was first introduced on Windows 10, specifically, after the Fall Creators Update (version 1709).
Date - Time and date the executable was ran.
Date Description - Detailed explanation of the Date attribute.
Program - Executable that was ran. This attribute contains the path of the executable.
Description - Detailed description of the executable.
Source - Source of the artifact.
Newer Windows 10 Systems
File: %SystemRoot%\System32\config\SYSTEM
BAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\state\UserSettings\{USER_SID}
DAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\state\UserSettings\{USER_SID}
Older Windows 10 Systems
File: %SystemRoot%\System32\config\SYSTEM
BAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\UserSettings\{USER_SID}
DAM: SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\UserSettings\{USER_SID}
Windows 11
✅
Server 2019
❌
Windows 10
⚠️
Server 2016
❌
Windows 8
❌
Server 2012
❌
Windows 7
❌
Server 2008
❌
Windows Vista
❌
Server 2003
❌
Windows XP
❌
RegistryExplorer (Eric Zimmerman)
Each user specific executable is stored under the corresponding SID entry.
BAM entries are only populated for locally run executables. Launching executables on network shares or removable media will not generate BAM entries.
Console applications that are launched through a command line interface will not have BAM/DAM entries.
BAM entries are removed if an executable is removed from its original location; and entries older than 7 days are removed when Windows boots.
Entries are deleted upon reboot if the executable is deleted.
The Execution Time
as seen in RegistryExplorer represents the most recent time of execution for the binary in UTC. The Program
field represents the full path the the binary.
Based on testing, this execution time is written upon process creation, and again on termination.
Path: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-3471133136-2963561160-3931775028-1001
Key: \Device\HarddiskVolume4\Program Files\PuTTY\putty.exe
Type: REG_BINARY
Value: 60-9F-62-A8-FB-6C-D9-01-00-00-00-00-00-00-00-00-00-00-00-00-02-00-00-00
The 64-Bit FILETIME timestamp 60-9F-62-A8-FB-6C-D9-01
resolves to Wed 12 April 2023 05:00:10 UTC
, which is the last known execution of the binary putty.exe
.
This example was produced on Windows 10, Version 10.0.19044 Build 19044
Used to convert timestamps to human readable format.
Delete registry