FeatureUsage

Profile each user's interaction with task bar.

What Is?

Forensic Value:

• Tracks pinning application.

• Use of JumpLists.

• Number of times shortcut was used (execution count).

• Number of times application was put into focus.

• Clicks on other parts of the taskbar like system clock and search dialogs.

File Location:

• NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage

Offline System

Windows 10 build 1903

Live System

Parse Data:

• Registry Explorer (zimmerman)

Considerations:

• Tracks click-level interactions with the task bar including

  • Application execution

  • Shortcut pinning

  • Jump List use

  • Switching applications to be in focus

• The TrayButtonClicked key tracks interaction with elements like the clock and search box

• GUI applications only and no timestamps are currently present

• Data not removed when application is uninstalled.

Example:

• AppLaunch: What is pinned to taskbar and how many times it was executed from taskbar.

  • Data persists even if app is unpinned.

• AppSwitched: How many times application was siwtched to "in focus".

  • Does not need to be pinned to taskbar to track.

• In the example above, we can see the user right-clicked the Remote Desktop shortcut four times showing they may have been making use of the saved previous connections present in the Jump List.

Analysis Tips:

Anti-Forensics: