> For the complete documentation index, see [llms.txt](https://nk0.gitbook.io/dfir/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://nk0.gitbook.io/dfir/windows/forensics/evidence-of-execution/featureusage.md).

# FeatureUsage

### What Is?

### Forensic Value:

* Tracks pinning application.
* Use of JumpLists.
* Number of times shortcut was used (execution count).
* Number of times application was put into focus.
* Clicks on other parts of the taskbar like system clock and search dialogs.

### File Location:

* NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage
*

{% tabs %}
{% tab title="Offline System" %}
Windows 10 build 1903
{% endtab %}

{% tab title="Live System" %}

{% endtab %}
{% endtabs %}

### Parse Data:

* Registry Explorer (zimmerman)

### Considerations:

* Tracks click-level interactions with the task bar including&#x20;
  * Application execution
  * Shortcut pinning
  * Jump List use
  * Switching applications to be in focus
* The TrayButtonClicked key tracks interaction with elements like the clock and search box
* GUI applications only and no timestamps are currently present
* Data not removed when application is uninstalled.

### Example:

<figure><img src="/files/AlNRU1oVXytcxa1FTb50" alt=""><figcaption></figcaption></figure>

* AppLaunch: What is pinned to taskbar and how many times it was executed from taskbar.
  * Data persists even if app is unpinned.
* AppSwitched: How many times application was siwtched to "in focus".
  * Does not need to be pinned to taskbar to track.

<figure><img src="/files/AQzkbbPzzl92yROeBfmG" alt=""><figcaption></figcaption></figure>

* In the example above, we can see the user right-clicked the Remote Desktop shortcut four times showing they may have been making use of the saved previous connections present in the Jump List.

### Analysis Tips:

### Anti-Forensics:


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://nk0.gitbook.io/dfir/windows/forensics/evidence-of-execution/featureusage.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.