Disabling Application Launch Tracking via Registry

The subject modifies the Windows Registry to disable the operating system’s application launch tracking, thereby preventing the creation of key forensic artifacts used to reconstruct user activity. This technique suppresses the generation of records in RunMRU (Run Most Recently Used) and UserAssist, both of which are commonly referenced in forensic timelines to identify command execution and GUI application use.

By setting the registry value:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs = 0

Windows stops logging user application launches, resulting in missing or incomplete histories. This technique is subtle and persistent, particularly effective on systems where registry auditing is not actively enforced.

Example Scenario:
A subject disables application tracking on a corporate workstation using a script that sets Start_TrackProgs = 0 under their HKCU hive. Over several days, they use various portable administrative tools (e.g., credential viewers, compression utilities) without creating entries in RunMRU or UserAssist. When an internal investigation is launched, investigators find an unexpected absence of user activity in these artifacts, delaying attribution and requiring deeper memory analysis to reconstruct events.