VIEWING PERSISTENT PROGRAMS

Forensic Workstation:
 username: Administrator
 password: ...
 
REGISTRY-EXPLORER> File > Load hive
 Select Hive: C:\Users\Administrator\Desktop\Registry Hives\SOFTWARE
  * Hold the "SHIFT" key when opening the file
  
REGISTRY-EXPLORER>
 Query: Run
  ROOT\Microsoft\Windows\CurrentVersion\Run
  Sort: By Timestamp
  
  Value Name	   Value   Type	Data	                                                Value Slack	Is Deleted	Data Record Reallocated
  drone_helper   ResSz   C:\Program Files\DroneManager\dronehelper.exe --background	81-02       N/A         N/A
  
 * the "run" key of SOFTWARE hive stores information on the programs that are set 
   to automatically start when the users logs in.

PreviousVIEWING RECENTLY ACCESSED APPS NextREGISTRY EDITOR

Last updated 1 day ago