Disabling Application Launch Tracking via Registry

The Principle of Least Privilege should be enforced, and period reviews of permissions conducted to ensure that accounts have the minimum level of access required to complete duties as per their role.

Windows Group Policy can be used to prevent specific accounts from accessing Registry Editor. This can prevent them from reading the registry or making modifications, if their permissions allow, using this utility.

Monitor for the unexpected absence or sudden cessation of updates to the RunMRU and UserAssist registry keys, which are key forensic artifacts used to reconstruct user activity in Windows environments.
 

• RunMRU records commands entered into the Run dialog (Win + R).
• UserAssist tracks GUI-based application execution via Windows Explorer (e.g., Start Menu, desktop shortcuts).

Anomalies in these keys, such as prolonged periods without updates, missing values during active sessions, or abrupt last write timestamps, may suggest that the subject uses anti-forensic techniques to suppress activity logging. This can include disabling app tracking via registry modification, operating from a virtual machine, or deliberately launching tools in ways that avoid tracking (e.g., via command line or scripting).

Detection Methods:

• Baseline Comparison: During forensic triage, compare the current volume of entries in RunMRU and UserAssist against historical user activity patterns or comparable peer profiles. A complete absence or sudden drop in entry count over time may indicate intentional suppression.
• Registry Timeline Analysis: Use forensic tools (e.g., KAPE, RECmd, Eric Zimmerman's Registry Explorer, or X-Ways) to extract and inspect:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}

Review Last Write Time of each key and subkey and correlate them with other artifacts such as login sessions from security logs, Shellbag and Jump List updates, and file system access or modification timestamps.

• Session Correlation: Compare registry update frequency with logon sessions (Event ID 4624), unlock activity (Event ID 4801), and user-initiated application launches (prefetch, shortcut use, etc.). Look for sessions where expected application usage occurred but no associated entries were recorded.
• Gaps in GUI Execution Artifacts: If a user has opened GUI tools (e.g., Notepad, Calculator, Explorer) but no UserAssist entries appear, this may indicate launch tracking has been disabled or cleared.

Indicators:
 

• RunMRU and UserAssist keys exist but show no new entries over several active user sessions.
• Last Write Time for these keys predates the most recent login by hours or days.
• High activity from other user-space artifacts (shellbags, LNK files, Jump Lists), but no corresponding launch tracking.
• User is known to interact with GUI apps, but no UserAssist GUID entries are updating.
• Registry keys exist but contain minimal or default values, suggesting manual clearing or pre-launch suppression.

An agent capable of Endpoint Detection and Response (EDR) is a software agent installed on organization endpoints (such as laptops and servers) that (at a minimum) records the Operating System, application, and network activity on an endpoint.

Typically EDR operates in an agent/server model, where agents automatically send logs to a server, where the server correlates those logs based on a rule set. This rule set is then used to surface potential security-related events, that can then be analyzed.

An EDR agent typically also has some form of remote shell capability, where a user of the EDR platform can gain a remote shell session on a target endpoint, for incident response purposes. An EDR agent will typically have the ability to remotely isolate an endpoint, where all network activity is blocked on the target endpoint (other than the network activity required for the EDR platform to operate).

An agent capable of User Activity Monitoring (UAM) is a software agent installed on organization endpoints (such as laptops); typically, User Activity Monitoring agents are only deployed on endpoints where a human user Is expected to conduct the activity.

The User Activity Monitoring agent will typically record Operating System, application, and network activity occurring on an endpoint, with a focus on activity that is or can be conducted by a human user. The purpose of this monitoring is to identify undesirable and/or malicious activity being conducted by a human user (in this context, an Insider Threat).

Typical User Activity Monitoring platforms operate in an agent/server model where activity logs are sent to a server for automatic correlation against a rule set. This rule set is used to surface activity that may represent Insider Threat related activity such as capturing screenshots, copying data, compressing files or installing risky software.

Other platforms providing related functionality are frequently referred to as User Behaviour Analytics (UBA) platforms.

An agent capable of User Behaviour Analytics (UBA) is a software agent installed on organizational endpoints (such as laptops). Typically, User Activity Monitoring agents are only deployed on endpoints where a human user is expected to conduct the activity.

The User Behaviour Analytics agent will typically record Operating System, application, and network activity occurring on an endpoint, focusing on activity that is or can be conducted by a human user. Typically, User Behaviour Analytics platforms operate in an agent/server model where activity logs are sent to a server for automatic analysis. In the case of User Behaviour Analytics, this analysis will typically be conducted against a baseline that has previously been established.

A User Behaviour Analytic platform will typically conduct a period of ‘baselining’ when the platform is first installed. This baselining period establishes the normal behavior parameters for an organization’s users, which are used to train a Machine Learning (ML) model. This ML model can then be later used to automatically identify activity that is predicted to be an anomaly, which is hoped to surface user behavior that is undesirable, risky, or malicious.

Other platforms providing related functionality are frequently referred to as User Activity Monitoring (UAM) platforms.

Monitor and audit the Start_TrackProgs registry value located at:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

This value controls whether Windows logs application launch activity to the UserAssist and RunMRU keys. When set to 1 (default), app tracking is enabled. When set to 0, application launch tracking is disabled, significantly reducing the availability of user activity artifacts for forensic reconstruction.
 

A subject modifying this setting may be attempting to operate without leaving standard execution traces, making it a low-noise anti-forensics technique that can persist across sessions and reboots.