Windows

Interactive Session

This section is for artifacts which are created when a user has an interactive desktop session, either sitting at the system or via a remote desktop session.

Run Box
RunMRU - Provides list of commands executed via the Run Box

• Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

Documents
File MRU/Place MRU - Provides list of office documents opened with path

• Location: HKCU\Software\Microsoft\Office\<number>\<Office Product>\User MRU\<#profile ID>\<File MRU or Place MRU>

Windows Explorer
TypedPaths - Provides list of paths typed by user in the Windows Explorer

• Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU

OpenSaveMRU/LastVisitedMRU - Provides list of opened and saved files accessed via dialog boxes  

•  Location:HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\<OpenSaveMRU or LastVisitedMRU>

UserAssist - Provides list of programs executed by user via Explorer Window

• Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

TypedURLs - Provides a list of URL's and Paths typed in the Windows Explorer or Internet Explorer address bars

• ​Location: HKCU\Software\Microsoft\Internet Explorer\TypedURLs

Internet Explorer
​TypedURLs - Provides a list of URL's and Paths typed in the Windows Explorer or Internet Explorer address bars

• ​Location: HKCU\Software\Microsoft\Internet Explorer\TypedURLs

Windows Search
ACMru - Contains list of recent search terms used in the Windows Search functionality; Four different subkeys exists for Internet Search, Windows Files, word or phrase search, and people/computer search
Location: HKCU\Software\Microsoft\Search Assistant\ACMru

AutoStart

Contains a list of artifacts related to anything that starts on its on such as a scheduled task or startup item.

On Start Up
Autorun - Contains paths to items that execute at system startup

• Location: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

RunOnce - Contains list of programs that will run at startup only once

• Locations:
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
  • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

Run Services - Contains a list of services that start automatically

• Locations
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Services
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce
  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ServicesOnce

Winlogon - Programs executed when a user logins

• Location: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit

Services
Services - Contains a list of all services, active and non-active

• Location: HKLM\SYSTEM\CurrentControlSet\Services

Cmd.exe
Command Processor Autorun - Contains a list of commands that are executed every time cmd.exe runs

• Locations
  • HKLM\SOFTWARE\Microsoft\Command Processor
  • HKCU\Software\Microsoft\Command Processor

Networking/Shares

This section contains artifacts related to networking and user shares.

Networked Drives
Map Network Drive MRU - Contains list of recently mapped network drives

• Location: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU

MountPoints2 - Contains list of all drives that have been mounted (both physical and network); requires cross correlation with MountedDevices

• Location: HKCU\Software\Microsoft\Windows\Current\VersionExplorer\MountPoints2

USB

Contains list of arti

USB Storage
USBSTOR - Stores list of mounted USB devices

• Location: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR

References

I didn't come up with any of this material. I pulled from the various resources below and organized them in a way that made it easier to reference for me. I appreciate all of there hardwork and urge you to check out there blogs.

Andreafortuna.org 

• Windows registry in forensic analysis