The VMware Carbon Black Tech Zone is live! Checkout this great resource: Mastering Carbon Black Audit & Remediation.

Windows Recent Apps

This query is based on this article: https://df-stream.com/2017/10/recentapps/. There are two dates that may be checked as per the article. The Last AccessedDate might not be accurate (it has been in my testing), so I included the key mtime too for comparison's sake.

The query outputs The registry key's modified time, the LastAccessed time, the user profile path, LaunchCount, and AppPath:

 

with lat as (
  select key,
         datetime(mtime,'unixepoch','localtime') as key_mtime,
         split(key,'\\',1) as sid,
         data as 'LastAccessedTime'
  from registry
  where key in (select path
                from registry
                where path like "HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\%")
                  and name = 'LastAccessedTime'),
lc as (
  select key,data as 'LaunchCount'
  from registry
  where key in (select path
                from registry
                where path like "HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\%")
                and name = 'LaunchCount'),
ap as (
  select key,data as 'AppPath'
  from registry
  where key in (select path
                from registry
                where path like "HKEY_USERS\%\Software\Microsoft\Windows\CurrentVersion\Search\RecentApps\%")
                and name = 'AppPath')
select key_mtime,
       datetime((LastAccessedTime/10000000)-11644473600,'unixepoch','localtime') as 'LastAccessed',
       (select data
        from registry
        where path = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\' || sid || '\ProfileImagePath') as user_profile,
        LaunchCount,
        AppPath
from lat
join lc using(key)
join ap using(key)
where AppPath != '';

 

 

 

0 Votes
1 Comment
jnelson
Carbon Black Employee
Status changed to: Approved