Shell-Core/Operational.evtx

C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx

This is one of the most overlooked logs in standard DFIR workflows. The Windows Shell - Explorer.exe and its surrounding infrastructure - drives the entire graphical user experience, and when users interact with core GUI elements it writes here. For proving an interactive desktop session actually took place, this log is uniquely authoritative.

Log Channel Microsoft-Windows-Shell-Core/Operational - written by Explorer.exe and Windows Shell components

Trace Type User Interaction GUI Activity Application Launch

Req. Audit Policy No Active by default. The Shell-Core Operational channel is enabled without additional configuration.

User Specific No System-wide log file, but events are inherently tied to the active user session that drives the shell.

General

Shell-Core/Operational records activity generated by Explorer.exe and the Windows Shell API. Because it reflects interactions with the graphical desktop environment - opening the Start menu, launching applications, interacting with taskbar elements and managing shortcuts - it is particularly useful for proving that an attacker had an interactive GUI session rather than purely command-line or remote access. Event IDs in this log tie directly to specific shell UI interactions, making it a strong corroborating source alongside RDP session data from Security.evtx.

Traces

The most forensically significant Event IDs in the Shell-Core Operational log are:

Event ID	Description
9707	Shell application launch started. Records when a user initiates a launch from the Windows Shell - confirms interactive GUI-driven execution distinct from command-line or service-based spawning.
9708	Shell application launch completed. Follows 9707 and confirms successful launch, with latency data that can reveal unusual execution paths.
28115	App pinned or unpinned from taskbar. Indicates deliberate, interactive user manipulation of the desktop environment.

Forensic Value

Prove interactive GUI sessions: Shell interaction events confirm that a human - or a human-simulating tool like a VNC or RDP client - was actively navigating the Windows desktop, distinguishing interactive intrusions from purely automated exploitation.
Corroborate RDP session activity: Correlating Shell-Core events against 4624 Type 10 (RemoteInteractive) logons from Security.evtx ties a remote login event to specific, observable GUI interactions on the compromised host.
Detect attacker reconnaissance via GUI: Patterns of rapid shell launch events across unusual directories or executables suggest an attacker was browsing the filesystem or launching tools through Explorer rather than a terminal.
Attribute lateral tool deployment: A 9707 event for a known remote access or hacking tool launched directly from the shell provides strong attribution evidence that a human operator was present at the keyboard.