Detections
- ID: DT133
- Created: 03rd July 2025
- Updated: 03rd July 2025
- Platform: Windows
- Contributor: The ITM Team
Snipping Tool Autosave Setting Modification
Settings data for Snipping Tool on Windows 11 is stored in a registry hive file located at C:\Users\JBeam\AppData\Local\Packages\Microsoft.ScreenSketch_8wekyb3d8bbwe\Settings\Settings.dat. Using a tool such as Registry Explorer, investigators can load this registry hive and review the contents. The value of two settings can help determine whether the subject has disabled automatic saving of screenshots (snips) or screen recordings: AutoSaveCaptures and AutoSaveScreenRecordings.
A value beginning with F0-FF-FF-FF-00 means this setting is disabled
- Automatic saving is off, use the fallback artifacts Snipping Tool TempState\Snips and Snipping Tool TempState\Recordings.
A value beginning with F0-FF-FF-FF-01 means this setting is enabled
- Automatic saving is on, which is the default behaviour, use the primary artifacts Snipping Tool Cached Screenshots and Snipping Tool Cached Recordings.
Sections
| ID | Name | Description |
|---|---|---|
| ME011 | Screenshots and Screen Recording | A subject can take screenshots or record their screen on a device. |
| PR028.002 | Capture via Screen Recording | The subject initiates a screen recording session to continuously capture visual activity on their workstation. Unlike isolated screenshots, screen recordings provide a persistent visual record that may include system navigation, data access patterns, command execution, or user interactions with sensitive tools and content.
Screen recordings are commonly used to circumvent restrictions on file downloads, printing, or copy-paste functionality. They allow subjects to preserve dynamic content, such as chat conversations and video meetings, that may not be available later or that are heavily monitored in other forms. The resulting files are often compressed and exported in standard formats (e.g., .mp4, .mov) and may be exfiltrated at a later time.
Subjects may use operating system–native tools (e.g., Xbox Game Bar on Windows, QuickTime on macOS) or third-party utilities (e.g., OBS Studio, Snagit, Loom) to conduct these recordings. Because many of these tools are not considered malicious, their use may not be flagged unless specifically configured for detection. |
| PR028.001 | Capture via Screenshot | The subject uses built-in or third-party tools to capture screenshots of sensitive data displayed on the screen. This may include financial records, source code, client information, internal chat transcripts, access credentials, or proprietary interfaces. Screenshot capture is often used as a low-friction means of data retention or transfer, especially in environments where traditional download or export functions are blocked, monitored, or leave visible artifacts. |