FeatureUsage

Profile each user's interaction with task bar.

What Is?

Forensic Value:

  • Tracks pinning application.

  • Use of JumpLists.

  • Number of times shortcut was used (execution count).

  • Number of times application was put into focus.

  • Clicks on other parts of the taskbar like system clock and search dialogs.

File Location:

  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage

Windows 10 build 1903

Parse Data:

  • Registry Explorer (zimmerman)

Considerations:

  • Tracks click-level interactions with the task bar including

    • Application execution

    • Shortcut pinning

    • Jump List use

    • Switching applications to be in focus

  • The TrayButtonClicked key tracks interaction with elements like the clock and search box

  • GUI applications only and no timestamps are currently present

  • Data not removed when application is uninstalled.

Example:

  • AppLaunch: What is pinned to taskbar and how many times it was executed from taskbar.

    • Data persists even if app is unpinned.

  • AppSwitched: How many times application was siwtched to "in focus".

    • Does not need to be pinned to taskbar to track.

  • In the example above, we can see the user right-clicked the Remote Desktop shortcut four times showing they may have been making use of the saved previous connections present in the Jump List.

Analysis Tips:

Anti-Forensics:

PreviousRecentDocsNextBAM

Last updated