Forensically Relevant Registry Keys/Locations

While deep Registry analysis requires specialized knowledge, several keys are commonly checked during screenshares (many collected automatically by tools like RL Collector's RECmd module):

• Prefetch Parameters: HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters (Check EnablePrefetcher value).

• Program Compatibility Assistant (PCA): HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store (Logs program paths PCA interacted with).

• Background Activity Moderator (BAM): HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{User_SID} (Logs executed application paths and last execution timestamps. Look for deleted entries!).

• UserAssist: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count (Tracks GUI program launches, run counts, last execution times. Data is ROT-13 encoded).

• Open/Save Dialog MRU: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\ (MRU lists for files opened/saved via common dialogs, grouped by extension). Can reveal recently accessed cheat files, DLLs, or configs.

• RecentDocs: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs (Tracks recently accessed documents/files, often mirrors shell:recent. Check for clearing).

• Run / RunOnce Keys: HKLM\Software\Microsoft\Windows\CurrentVersion\Run, HKCU\Software\Microsoft\Windows\CurrentVersion\Run (and RunOnce variants). Common persistence locations for malware/PUPs.

• USB Storage History: HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR (Logs details of connected USB storage devices).

• Network History: Various keys under HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters and user-specific network profiles can reveal connection history.

• Command Processor Autorun: HKLM\SOFTWARE\Microsoft\Command Processor\Autorun (Check if commands are automatically run when cmd.exe starts – potential bypass).