init

If you want to find out which executable were executed on a workstation in windows it is bit tricky to find. There are some ways you can detect that. In this post we will look into PowerForensic powershell scripts to check some of its features.

PowerForensic

After you download and import the script, you will see the following commands available to the system. Remember to run the powershell as Administrator 6672645b92e0aeee16410bc3c96c788a.png

Below we can see that we can get last execution time for a specific application. The command Get-ForensicAmcache uses the Amcache information and gives you the output based on it. From below we can see that we are searching for an executable which was executed from users desktop. a597e02616e9576fae57285861286ed5.png

Besides Amcache, we can also use pfcache to understand when an application was last executed but unfortunately, I was not able to obtain that information from the command and it always comes empty. 3680aa094d8d0d224182fcd3d2c98bc7.png

I have also tried to get some other information from the below command but not sure what kind of information I got because it is not quite consistent with what I was expecting. cbbf6839e889bcf8565e80388e3e1262.png

amcacheparser.exe

To obtain information from Windows’ Amcache we will use the tool AmcacheParser. This is a very popular tool to get the content. You will need to have administrative privileges in order to run it.

C:\Users\user1\Desktop\AmcacheParser> AmcacheParser.exe -f "C:\Windows\appcompat\Programs\Amcache.hve" --csv C:\temp
AmcacheParser version 1.5.1.0

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/AmcacheParser

Command line: -f C:\Windows\appcompat\Programs\Amcache.hve --csv C:\temp

Two transaction logs found. Determining primary log...
Primary log: C:\Windows\appcompat\Programs\Amcache.hve.LOG1, secondary log: C:\Windows\appcompat\Programs\Amcache.hve.LOG2
Replaying log file: C:\Windows\appcompat\Programs\Amcache.hve.LOG1
Replaying log file: C:\Windows\appcompat\Programs\Amcache.hve.LOG2
At least one transaction log was applied. Sequence numbers have been updated to 0x007A. New Checksum: 0x4166FD66
'C:\Windows\appcompat\Programs\Amcache.hve' is in use. Rerouting...

Two transaction logs found. Determining primary log...
Primary log: C:\Windows\appcompat\Programs\Amcache.hve.LOG1, secondary log: C:\Windows\appcompat\Programs\Amcache.hve.LOG2
Replaying log file: C:\Windows\appcompat\Programs\Amcache.hve.LOG1
Replaying log file: C:\Windows\appcompat\Programs\Amcache.hve.LOG2
At least one transaction log was applied. Sequence numbers have been updated to 0x007A. New Checksum: 0x4166FD66

C:\Windows\appcompat\Programs\Amcache.hve is in new format!

Total file entries found: 342
Total shortcuts found: 54
Total device containers found: 9
Total device PnPs found: 84
Total drive binaries found: 370
Total driver packages found: 6

Found 61 unassociated file entry

Results saved to: C:\temp

Total parsing time: 0.681 seconds

C:\Users\user1\Desktop\AmcacheParser>cd c:\temp

c:\temp>dir
 Volume in drive C has no label.
 Volume Serial Number is 562F-755A

 Directory of c:\temp

01/25/2024  09:49 AM    <DIR>          .
01/25/2024  09:49 AM    <DIR>          ..
01/25/2024  09:49 AM             2,336 20240125094955_Amcache_DeviceContainers.csv
01/25/2024  09:49 AM            50,111 20240125094955_Amcache_DevicePnps.csv
01/25/2024  09:49 AM           110,693 20240125094955_Amcache_DriveBinaries.csv
01/25/2024  09:49 AM             2,144 20240125094955_Amcache_DriverPackages.csv
01/25/2024  09:49 AM             8,001 20240125094955_Amcache_ShortCuts.csv
01/25/2024  09:49 AM            24,742 20240125094955_Amcache_UnassociatedFileEntries.csv
               6 File(s)        198,027 bytes
               2 Dir(s)  28,338,479,104 bytes free

PS C:\temp> Get-Content -TotalCount 5 .\20240125094955_Amcache_DeviceContainers.csv
KeyName,KeyLastWriteTimestamp,Categories,DiscoveryMethod,FriendlyName,Icon,IsActive,IsConnected,IsMachineContainer,IsNetworked,IsPaired,Manufacturer,ModelId,ModelName,ModelNumber,PrimaryCategory,State
{0038103e-bb4a-31f7-98ed-a452bad14d4c},2024-01-25 08:34:43,input.mouse,,,"C:\Windows\System32\DDORes.dll,-2212",True,True,False,False,False,,{cc54afdc-9d30-faad-a5fa-555953b50f19},QEMU USB Tablet,,input.mouse,9
{04ae3a51-5a53-f3c1-775e-ab310a0c3734},2024-01-25 08:34:43,printfax.printer.file,,Microsoft XPS Document Writer,"C:\Windows\System32\DDORes.dll,-2414",True,True,False,False,False,,{63e262cd-de1a-0741-2baa-25f72900a032},Microsoft XPS Document Writer v4,,printfax.printer.file,9
{15c1e43b-39f8-5881-f1a4-e11262b924d4},2024-01-25 08:34:43,unknown,,,"C:\Windows\System32\DDORes.dll,-2001",True,True,False,False,False,,{1a7f403f-5745-af01-cbd4-d56500e48939},vport0p1,,unknown,9
{27db0821-3bf9-f71a-f96f-a53403857690},2024-01-25 08:34:43,computer,,DESKTOP-NDNPERL,"C:\Windows\System32\DDORes.dll,-2061",True,True,True,False,False,QEMU,,"Standard PC (Q35 + ICH9, 2009)",,computer,25

PS C:\temp> Get-Content -TotalCount 5 .\20240125094955_Amcache_DevicePnps.csv
KeyName,KeyLastWriteTimestamp,BusReportedDescription,Class,ClassGuid,Compid,ContainerId,Description,DriverId,DriverPackageStrongName,DriverName,DriverVerDate,DriverVerVersion,Enumerator,HWID,Inf,InstallState,Manufacturer,MatchingId,Model,ParentId,ProblemCode,Provider,Service,Stackid
acpi/acpi0010/2&daba3ff&1,2024-01-25 08:34:43,,system,{4d36e97d-e325-11ce-bfc1-08002be10318},*pnp0a05,{27db0821-3bf9-f71a-f96f-a53403857690},ACPI Processor Container Device,,machine.inf_amd64_72ab89a5cc3218be,,06-21-2006,10.0.19041.3636,acpi,"acpi\ven_acpi&dev_0010,acpi\acpi0010,*acpi0010",machine.inf,0,(Standard system devices),*acpi0010,ACPI Processor Container Device,acpi_hal\pnp0c08\0,0,Microsoft,,\driver\acpi
acpi/authenticamd_-_amd64_family_25_model_97_-_amd_ryzen_9_7900x_12-core_processor____________/_0,2024-01-25 08:34:43,,processor,{50127dc3-0f36-415e-a6cc-4cb3be910b65},acpi\processor,{27db0821-3bf9-f71a-f96f-a53403857690},"AMD Ryzen 9 7900X 12-Core Processor            ",0000969db1b1aa0114792b34a9081e506faf36ee6baf,cpu.inf_amd64_2fbfbef715898b6f,amdppm.sys,04-21-2009,10.0.19041.3636,acpi,"acpi\authenticamd_-_amd64_family_25_model_97,*authenticamd_-_amd64_family_25_model_97,acpi\authenticamd_-_amd64_family_25,*authenticamd_-_amd64_family_25,acpi\authenticamd_-_amd64,*authenticamd_-_amd64",cpu.inf,0,Advanced Micro Devices,acpi\authenticamd_-_amd64,AMD Processor,acpi\acpi0010\2&daba3ff&1,0,Microsoft,amdppm,"\driver\amdppm,\driver\acpi"
acpi/authenticamd_-_amd64_family_25_model_97_-_amd_ryzen_9_7900x_12-core_processor____________/_1,2024-01-25 08:34:43,,processor,{50127dc3-0f36-415e-a6cc-4cb3be910b65},acpi\processor,{27db0821-3bf9-f71a-f96f-a53403857690},"AMD Ryzen 9 7900X 12-Core Processor            ",0000969db1b1aa0114792b34a9081e506faf36ee6baf,cpu.inf_amd64_2fbfbef715898b6f,amdppm.sys,04-21-2009,10.0.19041.3636,acpi,"acpi\authenticamd_-_amd64_family_25_model_97,*authenticamd_-_amd64_family_25_model_97,acpi\authenticamd_-_amd64_family_25,*authenticamd_-_amd64_family_25,acpi\authenticamd_-_amd64,*authenticamd_-_amd64",cpu.inf,0,Advanced Micro Devices,acpi\authenticamd_-_amd64,AMD Processor,acpi\acpi0010\2&daba3ff&1,0,Microsoft,amdppm,"\driver\amdppm,\driver\acpi"
acpi/authenticamd_-_amd64_family_25_model_97_-_amd_ryzen_9_7900x_12-core_processor____________/_2,2024-01-25 08:34:43,,processor,{50127dc3-0f36-415e-a6cc-4cb3be910b65},acpi\processor,{27db0821-3bf9-f71a-f96f-a53403857690},"AMD Ryzen 9 7900X 12-Core Processor            ",0000969db1b1aa0114792b34a9081e506faf36ee6baf,cpu.inf_amd64_2fbfbef715898b6f,amdppm.sys,04-21-2009,10.0.19041.3636,acpi,"acpi\authenticamd_-_amd64_family_25_model_97,*authenticamd_-_amd64_family_25_model_97,acpi\authenticamd_-_amd64_family_25,*authenticamd_-_amd64_family_25,acpi\authenticamd_-_amd64,*authenticamd_-_amd64",cpu.inf,0,Advanced Micro Devices,acpi\authenticamd_-_amd64,AMD Processor,acpi\acpi0010\2&daba3ff&1,0,Microsoft,amdppm,"\driver\amdppm,\driver\acpi"

PS C:\temp> Get-Content -TotalCount 5 .\20240125094955_Amcache_DriveBinaries.csv
KeyName,KeyLastWriteTimestamp,DriverTimeStamp,DriverLastWriteTime,DriverName,DriverInBox,DriverIsKernelMode,DriverSigned,DriverCheckSum,DriverCompany,DriverId,DriverPackageStrongName,DriverType,DriverVersion,ImageSize,Inf,Product,ProductVersion,Service,WdfVersion
c:/windows/system32/drivers/1394ohci.sys,2024-01-25 08:34:43,2071-11-08 05:23:53,2019-12-07 09:07:41,1394ohci.sys,True,True,True,315384,Microsoft Corporation,2b8b64c19fb245b97a274ca412cb309ceae54d90,,8650778,10.0.19041.1,294912,,Microsoft® Windows® Operating System,10.0.19041.1,1394ohci,
c:/windows/system32/drivers/3ware.sys,2024-01-25 08:34:43,2015-05-18 22:28:03,2019-12-07 09:07:41,3ware.sys,True,True,True,150450,LSI,5161257dc6ce5d04b4161fde391e636d4c5ce525,,8650778,5.1.0.51,122880,,LSI 3ware RAID Controller,WindowsBlue,3ware,
c:/windows/system32/drivers/acpi.sys,2024-01-25 08:34:43,1986-07-17 11:54:36,2024-01-18 23:16:43,acpi.sys,True,True,True,858884,Microsoft Corporation,ecccf1642324bfdf3301f267593a0ee378808601,acpi.inf_amd64_09e459cd93c8ec72,8651034,10.0.19041.3636,835584,acpi.inf,Microsoft® Windows® Operating System,10.0.19041.1,acpi,
c:/windows/system32/drivers/acpidev.sys,2024-01-25 08:34:43,2074-02-06 02:33:08,2019-12-07 09:07:41,acpidev.sys,True,True,True,51188,Microsoft Corporation,8d19697671fbe13b9d3c76459d98cb0ba3d1f41e,,8650778,10.0.19041.1,53248,,Microsoft® Windows® Operating System,10.0.19041.1,acpidev,

PS C:\temp> Get-Content -TotalCount 5 .\20240125094955_Amcache_DriverPackages.csv
KeyName,KeyLastWriteTimestamp,Date,Class,Directory,DriverInBox,Hwids,Inf,Provider,SubmissionId,SYSFILE,Version
balloon.inf_amd64_cb1021f49e943ec4,2024-01-18 23:15:24,2017-07-19 00:00:00,system,c:\windows\system32\driverstore\filerepository\balloon.inf_amd64_cb1021f49e943ec4,False,"pci\ven_1af4&dev_1002&subsys_00051af4&rev_00,pci\ven_1af4&dev_1045&subsys_11001af4&rev_01",oem4.inf,"Red Hat, Inc.",,balloon.sys,100.74.104.14100
balloon.inf_amd64_d3c77413b71ecb35,2024-01-25 08:34:44,2023-07-21 00:00:00,system,c:\windows\system32\driverstore\filerepository\balloon.inf_amd64_d3c77413b71ecb35,False,"pci\ven_1af4&dev_1002&subsys_00051af4&rev_00,pci\ven_1af4&dev_1002,pci\ven_1af4&dev_1045&subsys_11001af4&rev_01,pci\ven_1af4&dev_1045",oem9.inf,"Red Hat, Inc.",30097770_13980182734636414_1152921505696561191,balloon.sys,100.93.104.24000
fwcfg.inf_amd64_358c4a1cb711e05c,2024-01-25 08:34:44,2023-07-21 00:00:00,system,c:\windows\system32\driverstore\filerepository\fwcfg.inf_amd64_358c4a1cb711e05c,False,acpi\qemu0002,oem12.inf,"Red Hat, Inc.",30097770_13980182734636414_1152921505696561191,fwcfg.sys,100.93.104.24000
qxldod.inf_amd64_361c85767ae5e703,2024-01-18 23:15:24,2017-05-28 00:00:00,display,c:\windows\system32\driverstore\filerepository\qxldod.inf_amd64_361c85767ae5e703,False,pci\ven_1b36&dev_0100&subsys_11001af4,oem3.inf,"Red Hat, Inc.",30097770_14088842612135043_1152921504626655152,qxldod.sys,10.0.0.18000

PS C:\temp> Get-Content -TotalCount 5 .\20240125094955_Amcache_ShortCuts.csv
KeyName,LnkName,KeyLastWriteTimestamp
administrative t|b0208c3894a85356,c:\users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Administrative Tools.lnk,2024-01-25 08:34:47
character map.ln|a9bafb4ca6647e44,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Character Map.lnk,2024-01-25 08:34:47
command prompt.l|9f3b377a969553a7,c:\users\user1\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Command Prompt.lnk,2024-01-25 08:34:47
component servic|359825efd3d8f6e7,C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\Component Services.lnk,2024-01-25 08:34:47

Until next time.