AppCompatFlags
NTUSER.DAT\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\LayersAppCompatFlags records compatibility shims applied to executables — either by a user right-clicking and selecting "Run in compatibility mode" or by the Windows Program Compatibility Assistant doing it automatically. Either way, Windows had to see and process that binary, making this a reliable execution indicator with a human-interaction angle.
Key Name
Layers — value name is the full path to the executable; data contains the compatibility flag string (e.g., WIN7RTM RUNASADMIN)
Trace Type
Execution
Hive
NTUSER.DAT (per-user) and SOFTWARE (system-wide) under identical subkey paths
Last Write Time
Reflects when the compatibility flag was last set on the
Layers key — helps anchor the time a user or script interacted with that specific binary.
User Specific
Yes The NTUSER.DAT instance is user-scoped. The SOFTWARE hive variant is machine-wide and visible to all accounts.
Forensic Value
- Prove binary existence post-deletion: The full executable path is stored as the value name. Even after the file is wiped, this entry proves the binary existed and was interacted with on this system.
- Confirm deliberate user action: Setting a compatibility flag requires a conscious interaction — right-clicking, choosing properties, selecting a mode. This is not an accidental or automated artifact.
- Identify privilege escalation attempts: The
RUNASADMINflag shows a user or attacker explicitly tried to run a binary with elevated privileges, and more.