search

RecentApps

hashtag
What Is RecentApps?

LogoRecentApps Registry Key - Digital Forensics StreamDigital Forensics Streamchevron-right

hashtag
Forensic Value:

References to several applications and files that had been accessed on the system

hashtag
File Location:

  • NTUSER\Software\Microsoft\Windows\Current Version\Search\RecentApps

hashtag
Parse Data:

hashtag
Considerations:

  • The number of file GUID subkeys under each application GUID key appears to be limited to 10

  • LastWriteTime of RecentItems subkeys are execution times of the file.

  • The file GUID subkeys are arranged alphabetically by name

  • When a new entry is added to RecentItems, the keys are rearranged alphabetically, removing the last entry from the list.

  • LastAccessedTime in RecentItems is not updated on subsequent file accesses.

  • RecentApps LastAccessedTime is updated on every execution.

  • Time is in: 64-bit FILETIME format

hashtag
Example:

hashtag
Analysis Tips:

hashtag
Anti-Forensics:

  • Deletion of registry key

PreviousShimcacheNextAmCache

Last updated