BAM / DAM

SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{SID}

The Background Activity Moderator (BAM) and its tablet-focused sibling Desktop Activity Moderator (DAM) were introduced in Windows 10 1709 to throttle background processes for power management. As a side effect, they record the full executable path and last run timestamp for every background binary — organized by user SID — giving investigators a clean, per-user execution log inside the SYSTEM hive.

Key Name {Executed Filepath} — REG_BINARY value name is the full path; data encodes the last execution time

Trace Type Execution

Hive SYSTEM Entries are stored per-user under their SID despite living in the machine-wide hive.

Last Write Time Reflects the last time the BAM service updated user entries — aligns with system activity windows and can confirm or contradict claimed logon times.

User Specific Yes Entries are siloed under UserSettings\{SID}, enabling per-account attribution even from this system-wide hive.

Forensic Value

Full path execution proof: Provides complete paths for launched binaries. Pivot to the Execution overview to see how BAM data correlates with other process-level traces.
User-level attribution from SYSTEM hive: The SID-keyed structure lets you attribute execution to a specific account even from a system-wide hive.
Recent activity window: BAM entries persist for short-term incident scoping, ideal for confirming what ran in the days leading up to detection.

For more Info check out these Articles: Execution