PCA

Tracks GUI execution, not user based.

File Location

• C:\Windows\appcompat\pca

New Windows 11 Pro (22H2) Evidence of Execution Artifact! - AboutDFIR - The Definitive Compendium ProjectAboutDFIR - The Definitive Compendium Project

Parsing Data

No need to parse data, comes in formated text file.

Considerations

• New Windows 11 execution artifact.

• Tracks GUI execution.

• Tracks full binary path and last executed time in UTC PcaAppLaunchDic.txt.

• Usually PcaGeneralDb1.txt won't have data.

PcaGeneralDb0.txt

Ties in with amcache and contains FileID. Can be used to correlate execution and file existence.

Anti Forensics