Tracking Program Execution with a Little Known Registry Key

Welcome to 13 Cubed. In this episode, we're going to take a look at another obscure registrybased evidence of execution artifact. Now, there are numerous public writeups discussing this artifact, so it's nothing new. But that being said, it's also something that I don't see talked about that often. I'll leave some links in the description below if you want to explore them further. We're talking about a registry key called app switched which lives within each user's inuser. dat registry hive. Before we get ahead of ourselves

let's pause and have a quick recap about registry hives. As you're probably aware, there are two primary users specific registry hives. In user. dat, which I just mentioned, and usrclass. dat, which we typically pronounce userclass. dat. Now, I'm not saying that those are the only two user specific registry hives because for example, if you have Microsoft Store apps installed, some of those are in MSIX format and those MSIX packaged apps can also have user specific registry hives contained within them. That's to provide containerization for those apps so that they can write to a registry without affecting the main registry hives on the system. So those can exist, but for the purposes of this episode, we're focusing on one of those two primary user specific registry hives and that would be in user. dat. Now on a live and running system, when you pull up registry editor or regedit and you drill down to HQ current user or HKCU that is in user. dat that mostly I say mostly because if we drill down into software and then classes within this part of the tree usrclass. dat plugs in. So in other words everything from this point in the registry tree and down is going to be derived or pulled from usrclass. dat but everything else aside from that within HQ current user is pulled from this current users in user. dat that registry hive within the software sub

key that we're looking at here. We're actually going to drill down into a somewhat familiar location, or at least I think it will be familiar to you. And that's going to be under Microsoft Windows current version explorer. And this is the familiar part because within this specific path, we have quite a few very common registry based artifacts that we leverage. But we're going to drill down even deeper. And under explore, we're going to go to feature usage. And here is where we're going to find app switched. Now, you'll notice that we also have app badge updated, app launch, and show jump view. In this episode, we're only going to be focused on app switched, though those other keys may also contain some useful information. So, what exactly does app switched track? Well, it increments a counter each time a user leftclicks an application on the taskbar to switch focus to it. The key behaves somewhat like user assist and recent apps in the sense that it can demonstrate per user guey based application execution but with an important distinction. Instead of showing launches, app switched reflects the number of times a user switched back to an app via leftclicking on it. This makes it useful as an evidence of execution artifact but also as an indicator of interactive user behavior. It shows deliberate engagement with an application, not just a process starting in the background. Now, let's take a look at what we have here. You'll notice we can see regedit, Arsenal image mounter, timeline explorer, registry explorer, and if we look through here, we'll see some apps like notepad. Now, notice that all of the values are of type regge dword. And again, the value that you see here, for example, is 81, which as I said, reflects the number of times the user has leftclicked an application on the taskbar to switch focus to it. Now, notice that number is 81. Let's test something. We'll go ahead and bring up Notepad. And what I'm going to do is just use Alt Tab to switch back to Reedit. And then I'm going to use Alt Tab again to switch back to Notepad. And then once more back to Regedit. Now, what we'll do is go up to view and refresh. And notice that it still says 81. This time though, let's leftclick on the notepad icon on the taskbar. So now we've switched to it by that means. And if we switch back to regedit and then go over to view and refresh, notice that the counter is now incremented to 82. So it didn't increment when we used alt tab, but it did when we leftclicked the icon on the taskbar. That's an important distinction, but regardless, it does show that this particular user had some sort of interaction with this application, not just something that ran in the background. Now, it's also worth clarifying what app switched does not provide. The individual values, as you can clearly see, do not contain timestamps. And as you can also see, there's no MRU list here. That means that you can't determine which entry in this list was used last or in what order they were created or updated. In fact, the only temporal information you'll have available is the last write timestamp of the apt switch sub key itself. Now, of course, in regedit, we're not able to see that value. But if we navigated to this same path within Eric Zimmerman's registry explorer and went to app switched, we could easily obtain the last right timestamp. That time stamp is going to tell us that any activity reflected in this key must have occurred on or before that time, but nothing more specific than that. Still, that can be useful when reconstructing timelines, especially when other artifacts have rolled over or have been cleared. Now, from a forensics perspective, app switched can help fill in gaps when traditional execution artifacts are missing or incomplete, possibly even deliberately removed, as in anti-forensics. And that's because it tracks those focused application switches. So this is going to offer a window into what the user was actively engaged with, not just what executed passively. And because it's tied to a specific user hive, it helps attribute that activity to a specific user account. So the next time you're working on a case and you need just one more piece of context about what a user was really doing, app switched might just give you enough information to fill in yet another piece of the puzzle. So, that's a quick look at the app switched registry key. I hope you found this information useful and as always, thanks for watching, thanks for subscribing, and I'll see you in the next 13 cubed episode.