Process Execution
When a user launches an application in Windows, a complex sequence of system calls, loader operations and memory allocations takes place. Understanding this execution lifecycle is crucial for analysts because each step creates distinct forensic artifacts across the system. Tracing these artifacts allows us to prove exactly what ran, when it ran and how it was initiated.
Starting a program is like opening a restaurant for the night. You do not just unlock the front door. You have to turn on the lights, check the pantry and write the date in your logbook. If an inspector comes by later, they can look at the logbook, the dirty dishes and the receipts to prove you were open. Windows does the exact same thing by keeping logs and traces of every step it takes to open a program.
General
Almost all executable code in Windows relies on the Portable Executable (PE) format. A PE file acts as a structural map that instructs the Windows Loader on how to map its code and resources into memory. As the kernel executes the CreateProcess API, it triggers the Memory Manager and the Plug and Play subsystem. This interaction natively generates persistent artifacts on disk. We analyze these traces to detect unauthorized software execution even after the binary is deleted.
Traces
When a process executes, the system generates a chronological trail of evidence. Here are the core artifacts we look for:
- UserAssist: Registry keys tracking GUI execution counts and last run times.
- ShimCache: Application compatibility logs verifying the file path and execution status.
- Prefetch: System traces proving the binary was loaded into memory.
- AmCache: Windows inventory tracking the application SHA-1 hash and installation details.
- BAM/DAM: Background activity moderator logs tracking process execution times.
- and more.
Forensic Use Cases
We use execution artifacts to map out user activity and detect advanced evasion techniques:
- Malware Execution: Proving that a malicious payload actually ran on the system.
- Lateral Movement: Tracking remote execution activity through tools like PsExec or WMI.
- Process Hollowing: Detecting discrepancies between memory regions and disk-based executables.
- Anti-Forensics: Identifying missing logs or mismatching timestamps that indicate tampering.
- and more.