Data Sources

LastActivityView queries and presents data derived from sources including (but not necessarily limited to):

  • Prefetch Files: Extracts execution timestamps and filenames from .pf files in C:\Windows\Prefetch.

  • Registry Keys:

    • Recent File History: Information related to recently opened files and folders (often linked to shell:recent shortcuts and the RecentDocs registry keys).

    • Open/Save Dialog History (MRU): Parses data from keys like HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\. These keys store Most Recently Used (MRU) lists of files that have been opened or saved using the standard Windows file dialog boxes.

    • UserAssist Keys: Tracks execution of GUI programs.

    • Other relevant keys tracking application usage or system events.

  • Windows Event Logs: Pulls specific relevant events (like software installations, system shutdowns) from standard Windows Event Logs.

  • Recycle Bin Information: May include data about recently deleted files.

  • Application Crash Reports: Information about application crashes.

PreviousLastActivityView: Artifact AggregationNextFunctionality in ScreenSharing

Last updated