Detections

Monitor for the unexpected absence or sudden cessation of updates to the RunMRU and UserAssist registry keys, which are key forensic artifacts used to reconstruct user activity in Windows environments.

RunMRU records commands entered into the Run dialog (Win + R).
UserAssist tracks GUI-based application execution via Windows Explorer (e.g., Start Menu, desktop shortcuts).

Anomalies in these keys, such as prolonged periods without updates, missing values during active sessions, or abrupt last write timestamps, may suggest that the subject uses anti-forensic techniques to suppress activity logging. This can include disabling app tracking via registry modification, operating from a virtual machine, or deliberately launching tools in ways that avoid tracking (e.g., via command line or scripting).

Detection Methods:

Baseline Comparison: During forensic triage, compare the current volume of entries in RunMRU and UserAssist against historical user activity patterns or comparable peer profiles. A complete absence or sudden drop in entry count over time may indicate intentional suppression.
Registry Timeline Analysis: Use forensic tools (e.g., KAPE, RECmd, Eric Zimmerman's Registry Explorer, or X-Ways) to extract and inspect:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}

Review Last Write Time of each key and subkey and correlate them with other artifacts such as login sessions from security logs, Shellbag and Jump List updates, and file system access or modification timestamps.

Session Correlation: Compare registry update frequency with logon sessions (Event ID 4624), unlock activity (Event ID 4801), and user-initiated application launches (prefetch, shortcut use, etc.). Look for sessions where expected application usage occurred but no associated entries were recorded.
Gaps in GUI Execution Artifacts: If a user has opened GUI tools (e.g., Notepad, Calculator, Explorer) but no UserAssist entries appear, this may indicate launch tracking has been disabled or cleared.

Indicators:

RunMRU and UserAssist keys exist but show no new entries over several active user sessions.
Last Write Time for these keys predates the most recent login by hours or days.
High activity from other user-space artifacts (shellbags, LNK files, Jump Lists), but no corresponding launch tracking.
User is known to interact with GUI apps, but no UserAssist GUID entries are updating.
Registry keys exist but contain minimal or default values, suggesting manual clearing or pre-launch suppression.

Sections

ID	Name	Description
AF007.003	Disabling Application Launch Tracking via Registry	The subject modifies the Windows Registry to disable the operating system’s application launch tracking, thereby preventing the creation of key forensic artifacts used to reconstruct user activity. This technique suppresses the generation of records in RunMRU (Run Most Recently Used) and UserAssist, both of which are commonly referenced in forensic timelines to identify command execution and GUI application use. By setting the registry value: `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs = 0` Windows stops logging user application launches, resulting in missing or incomplete histories. This technique is subtle and persistent, particularly effective on systems where registry auditing is not actively enforced. Example Scenario: A subject disables application tracking on a corporate workstation using a script that sets `Start_TrackProgs = 0` under their HKCU hive. Over several days, they use various portable administrative tools (e.g., credential viewers, compression utilities) without creating entries in RunMRU or UserAssist. When an internal investigation is launched, investigators find an unexpected absence of user activity in these artifacts, delaying attribution and requiring deeper memory analysis to reconstruct events.