Uncovering Digital Footprints: How the Windows Registry Records Program Execution

In the world of digital forensics, the Windows Registry is often likened to a diary that chronicles every interaction a user has with a system. From opening a document to launching an application, each action leaves a subtle trace that investigators can follow. In this guide, we’ll walk through the most useful registry locations that reveal evidence of execution, explain how to read them, and show you how to piece together the story of what happened on a machine.

What the Registry Reveals About Recent Activity

When a user opens a file or runs a program, Windows writes a record of that event to a specific hive. The most frequently accessed hive for this purpose is NTUSER.DAT, which stores all user‑specific settings. Within this hive, the RecentDocs key keeps a list of files that have been accessed recently. The path is:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs

Each entry in this key is a binary blob that contains the file’s full path, the time it was opened, and the file type. For investigators, this list is invaluable because it shows exactly what the user was working on immediately before the system was seized. It can also help confirm whether a suspect had access to a particular document or whether a malicious file was opened.

Beyond RecentDocs, other keys provide insight into user activity:

• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentPlaces – tracks folders that were recently visited.
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU – logs commands entered into the Run dialog.
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths – records paths typed directly into the address bar.

Each of these keys is organized so that the newest entries appear first, making it easy to spot the most recent actions.

How to Locate and Interpret Execution Artifacts

When you open a forensic image, the first step is to mount the registry hives. Tools like RegRipper, Registry Explorer, or the built‑in Windows Registry Editor can help you navigate to the relevant keys. Once you have the hive, look for the following patterns:

1. Timestamp format – Windows stores times as 64‑bit values representing the number of 100‑nanosecond intervals since January 1, 1601 (UTC). Convert these to human‑readable dates using a script or a tool like RegRipper’s timeformat plugin.
2. File path extraction – In RecentDocs, the binary data is a series of Unicode strings. The first string is the file path; subsequent strings may contain the file name, type, and other metadata.
3. Key hierarchy – The registry’s tree structure often mirrors the logical organization of Windows. For example, Explorer\RecentDocs is nested under CurrentVersion, which in turn is under Microsoft and Windows.

To illustrate, let’s walk through a typical extraction:

1. Open NTUSER.DAT with Registry Explorer.
2. Navigate to Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs.
3. Expand the key to view the binary values.
4. Use RegRipper’s regedits plugin to decode the binary data.
5. Convert the timestamps to local time for context.
6. Cross‑reference the file paths with the file system to verify existence and content.

By following these steps, you can build a timeline of user activity that is both precise and verifiable.

Common Registry Keys for Tracking Program Launches

While RecentDocs tells you what files were opened, other registry locations capture the