FeatureUsage — Evidence of Execution ?? || AppSwitched
FeatureUsage artifact are located in NTUSER.DAT registry file under the following key:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage
It contains 5 subkeys as follows:
1. AppBadgeUpdated
The AppBadgeUpdated key records how often an app’s badge icon is updated, such as when you receive new notifications or unread messages. This can be useful in cases where an app, like a messaging app, has been deleted. By checking this key, you can tell how many times the app received notifications, even if the app is no longer present, providing evidence that the app was used and interacted with on the system.
2. AppLaunch
The AppLaunch key tracks how often an app pinned to the taskbar is launched. This can help show that a user not only had the app visible on the taskbar but actively used it. In investigations, it can demonstrate that the app was knowingly accessed multiple times, providing evidence of intentional use.
3. AppSwitched
The AppSwitched key tracks how many times an app was clicked to switch focus, like when you minimize or maximize it from the taskbar.
4. ShowJumpView
The ShowJumpView key logs how many times an app was right-clicked on the taskbar. Similar to the AppSwitched key, it tracks app interactions, but specifically records right-click actions.
5. TrayButtonClicked
The TrayButtonClicked key tracks how many times built-in taskbar buttons (like the clock or Start button) are clicked.
Summary:
AppBadgeUpdated: Tracks how often an app’s badge icon updates, showing notification activity even if the app was deleted.
AppLaunch: Logs how frequently a taskbar-pinned app is launched, showing intentional user interaction.
AppSwitched: Records how many times an app is minimized or maximized from the taskbar.
ShowJumpView: Logs how often an app is right-clicked on the taskbar for additional options.
TrayButtonClicked: Tracks clicks on built-in taskbar buttons (like the clock or Start), providing insights into user behavior.
Reference:
