Registry Clearing (BAM, RecentDocs, etc.)

• Description: This involves deleting specific keys or values within the Windows Registry that store historical activity data. Common targets are hives known to log program execution or file access.

• Mechanism:

  • Manual Deletion (regedit.exe): The user manually navigates to specific keys in Registry Editor and deletes them or their values.

  • Command-Line (reg.exe): Using reg delete commands in CMD or scripts to remove targeted keys/values programmatically.

  • Cleanup Tools: Utilities like CCleaner often include options to clean specific Registry MRU lists or potentially other activity logs.

• Common Targets:

  • BAM (Background Activity Moderator): Keys under HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{User_SID}\ store executable paths and last execution timestamps.

  • RecentDocs: Keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs track recently opened files (often linked to shell:recent).

  • UserAssist: Keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\ track GUI program launches (ROT-13 encoded data).

  • OpenSavePidlMRU: Keys under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\ track files opened/saved via common dialogs.

  • AppCompatFlags (PCA Store): Keys like Store under HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\ can be cleared.

• Why Cheaters Use It: To remove specific traces of program execution (BAM, UserAssist) or recently accessed files (RecentDocs, OpenSave MRU) that might point towards cheat usage or related configuration files.

• Detection:

  • Registry Explorer (Deleted Keys/Values): This is often the most effective method. Forensic registry viewers like Registry Explorer can frequently identify and visually highlight keys or values that have been deleted but whose space within the hive file hasn't been fully overwritten yet. Finding deleted entries marked with specific icons (like the red circled warning for BAM) within these relevant hives, especially if the deletion appears recent relative to the current system boot, is strong evidence of tampering.

  • Execution Logs: Look for recent executions of regedit.exe or reg.exe in Prefetch, BAM, or command history (if available) around the time of the screenshare. This indicates manual Registry interaction that warrants investigation into what was potentially cleared.

  • Missing Keys/Values: While less definitive, observing that normally populated keys (like UserAssist or BAM for a user who clearly uses the system) are completely empty can be suspicious, though it could also result from specific system configurations or profile issues.

  • Timestamps: Registry Explorer displays the "Last Write Time" for keys. A very recent Last Write Time on a parent key (like UserSettings for BAM) might indicate recent modifications (including deletions) within it.