VIEWING RECENTLY ACCESSED APPS

Forensic Workstation:
 username: Administrator
 password: ...
 
REGISTRY-EXPLORER> File > Load hive
 Select Hive: C:\Users\Administrator\Desktop\Registry Hives\NTUSER.DAT
  * Hold the "SHIFT" key when opening the file
  
REGISTRY-EXPLORER>
 Query: UserAssist
  HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
  Find: "Drone"
  
  Program Name												                        Run Counter		Focus Counter	Focus Time		Last Executed
  C:\Users\dispatch.admin\Downloads\DroneManager_Setup.exe			        1					      0	0d,0d,00m,00s	2025-10-21 20:52:32
  
 * the UserAssist key from NTUSER.DAT stores information on recently accessed 
   applications launched via the GUI

PreviousVIEWING INSTALLED PROGRAMS NextVIEWING PERSISTENT PROGRAMS

Last updated 1 day ago