# Functionality in ScreenSharing

LastActivityView serves as an excellent **first-look tool** during screenshares to quickly get a chronological overview of recent user actions:

* **Detecting File Execution:** Shows recently run executables based on Prefetch data and potentially UserAssist or other registry traces.
* **Identifying Opened/Saved Files:** Particularly useful for spotting recently accessed documents, images, archives, or potential cheat configuration files (`.cfg`, `.ini`, `.json`) based on the Open/Save MRU registry data it parses.
* **Tracking DLL Usage/Interaction:** Can be effective at highlighting interactions with `.dll` files, *especially* those loaded via standard mechanisms or those that might have **spoofed extensions** (e.g., a cheat `.dll` renamed to look like a `.cfg` or `.dat` file). Often, the act of an injector selecting a DLL via an "Open File" dialog, or a program loading a configuration file, will register in the OpenSavePidlMRU keys, which LastActivityView surfaces.
* **Timeline Correlation:** By presenting data from multiple sources sorted by time, it aids in establishing basic timelines and correlating different actions (e.g., downloading an archive, then an executable running from a temporary extraction folder shortly after).