ITM is an open framework - Submit your contributions now.

Anti-Forensics

Clear Browser Artifacts

Clear Command History

Clear Operating System Logs

Decrease Privileges

Delete User Account

Deletion of Volume Shadow Copy

Disk Wiping

File Deletion

File Encryption

Hide Artifacts

Log Tampering

Modify Windows Registry

Physical Destruction of Storage Media

Physical Removal of Disk Storage

Steganography

Image Steganography

System Shutdown

Timestomping

Tripwires

Uninstalling Software

Virtualization

Windows System Time Modification

ID: AF007
Created: 25th May 2024
Updated: 05th July 2024
Platform: Windows
Contributor: The ITM Team

Modify Windows Registry

A subject may modify keys or key values within the Windows Registry to conceal actions they have conducted related to an infringement.

Subsections

ID	Name	Description
AF007.001	Delete or Modify Registry Key	The subject deletes or modifies Windows Registry keys to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting these keys can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system.
AF007.002	Delete or Modify Registry Key Value	The subject deletes or modifies Windows Registry key values to hinder an investigation by removing information that can be used by investigators. Many actions and configurations on a Windows system are logged or stored in the registry. Deleting key values can make it harder for investigators to trace the attacker's steps and understand what changes were made to the system.
AF007.003	Disabling Application Launch Tracking via Registry	The subject modifies the Windows Registry to disable the operating system’s application launch tracking, thereby preventing the creation of key forensic artifacts used to reconstruct user activity. This technique suppresses the generation of records in RunMRU (Run Most Recently Used) and UserAssist, both of which are commonly referenced in forensic timelines to identify command execution and GUI application use. By setting the registry value: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs = 0` Windows stops logging user application launches, resulting in missing or incomplete histories. This technique is subtle and persistent, particularly effective on systems where registry auditing is not actively enforced. Example Scenario: A subject disables application tracking on a corporate workstation using a script that sets `Start_TrackProgs = 0` under their HKCU hive. Over several days, they use various portable administrative tools (e.g., credential viewers, compression utilities) without creating entries in RunMRU or UserAssist. When an internal investigation is launched, investigators find an unexpected absence of user activity in these artifacts, delaying attribution and requiring deeper memory analysis to reconstruct events.