RecentApps
The RecentApps registry key is a quiet but reliable execution artifact stored in the user hive that tracks the most recently used applications on the system. Unlike other more complex artifacts, it provides a fast, readily parseable list of what programs a specific user account interacted with and when, making it a valuable first-pass triage target during incident response.
Think of the RecentApps key like the "Recently Used Apps" list on your phone's app switcher. Every time you open an app, the phone moves it to the top of the list. Windows does the same thing in its registry every time you launch a program. Investigators check this list to quickly see the last handful of applications a user was running on the machine.
General
RecentApps is stored in the NTUSER.DAT hive of each user account under the key HKCU\SOFTWARE\Microsoft\Windows\Current Version\Search\RecentApps\. Each subkey beneath this path represents a unique application entry identified by a GUID. The key contains embedded values including the application executable path, the launch count and the last access timestamp. This registry key is particularly valuable because it is user-specific, providing direct attribution to the account that executed each application.
Traces
Parsing RecentApps registry subkeys exposes compact but useful investigative data:
- Application Path: The full path to the executable that was recently used.
- Last Access Time: The timestamp of the most recent interaction with the application.
- Launch Count: The number of times the application was opened by this specific user account.
- App ID / GUID: A unique identifier distinguishing each unique application entry.
- and more.
Forensic Value
We use RecentApps as a fast-triage artifact to quickly map user activity against known malicious tools:
- Quick Execution Validation: Confirming execution of suspect tools without deep parsing. Match these hits with UserAssist for deeper launch count verification.
- User Attribution: Tying application usage to a concrete Windows user account through the NTUSER.DAT hive association.
- Anti-Forensics Detection: Identifying gaps in patterns that may indicate the user attempted to selectively clear other artifacts.
For more Info check out these Articles: UserAssist