Other Notable Folders/Locations

Beyond the primary artifacts detailed above, numerous other specific system locations can harbor valuable evidence or provide context during an investigation. While an exhaustive list is beyond the scope of this fundamental section, ScreenSharers should be aware of locations such as:

  • Task Scheduler: C:\Windows\System32\Tasks (and related registry keys). This folder stores the XML definitions of scheduled tasks configured to run automatically. It's a common location for malware persistence mechanisms or scripts designed to perform actions (like clearing logs) at specific times or events (e.g., user logon). Analyzing task definitions for suspicious commands, paths, or triggers is crucial.

  • Program Compatibility Assistant (PCA): C:\Windows\appcompat\pca. This location contains artifacts like Amcache.hve and RecentFileCache.bcf. These track application execution history and compatibility information. While sometimes considered secondary evidence, especially on older systems (Windows 7/8) or when other execution logs are cleared, they can provide valuable corroborating proof that a program was run. (Further details on Amcache/RecentFileCache analysis may be covered in later sections).

  • PowerShell History: %AppData%\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt. This plain text file logs the commands typed interactively into PowerShell sessions by the user. It's invaluable for identifying manual command-line activity, including potentially malicious script execution, file manipulation, or attempts to disable security features.

  • User Assist: These are not folders but specific Registry keys (located under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\) that track the execution of GUI-based applications. They store encoded data about program launches, including run counts and last execution timestamps. Specialized tools or manual decoding are needed to interpret this data effectively.

Awareness of these and other potential evidence locations expands the scope of a thorough screenshare beyond just the most common artifacts

PreviousRecycle Bin ( C:$Recycle.bin )NextWindows Registry: Introduction

Last updated