In this scenario, “interactive” refers to someone who has authenticated from the log-on screen or through RDP. This registry key and its subkeys do not exist unless an account has logged on to a system interactively. NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage The FeatureUsage registry key exists within user registry hives (their NTUSER.DAT file), and therefore all information stored within FeatureUsage will be unique for each account. Windows 10 version containing FeatureUsage key In addition, it provides some insight into user behavior, such as how often an account switches between applications, looks at the Windows clock, clicks the Start menu and more.įigure 1. To a DFIR professional, this artifact is another way of confirming software that has been run interactively by an account, and how many times the software was run. In this blog, we introduce a new registry artifact called “FeatureUsage,” which is found in builds of Windows 10 version 1903 and later. It is important to note that as operating systems evolve and new features are added, so do the registry artifacts available to DFIR professionals.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |