# Forensically Relevant Registry Keys/Locations

While deep Registry analysis requires specialized knowledge, several keys are commonly checked during screenshares (many collected automatically by tools like RL Collector's RECmd module):

* **Prefetch Parameters:** `HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters` (Check `EnablePrefetcher` value).
* **Program Compatibility Assistant (PCA):** `HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store` (Logs program paths PCA interacted with).
* **Background Activity Moderator (BAM):** `HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\{User_SID}` (Logs executed application paths and last execution timestamps. Look for deleted entries!).
* **UserAssist:** `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count` (Tracks GUI program launches, run counts, last execution times. Data is ROT-13 encoded).
* **Open/Save Dialog MRU:** `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU\` (MRU lists for files opened/saved via common dialogs, grouped by extension). Can reveal recently accessed cheat files, DLLs, or configs.
* **RecentDocs:** `HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs` (Tracks recently accessed documents/files, often mirrors `shell:recent`. Check for clearing).
* **Run / RunOnce Keys:** `HKLM\Software\Microsoft\Windows\CurrentVersion\Run`, `HKCU\Software\Microsoft\Windows\CurrentVersion\Run` (and RunOnce variants). Common persistence locations for malware/PUPs.
* **USB Storage History:** `HKLM\SYSTEM\CurrentControlSet\Enum\USBSTOR` (Logs details of connected USB storage devices).
* **Network History:** Various keys under `HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters` and user-specific network profiles can reveal connection history.
* **Command Processor Autorun:** `HKLM\SOFTWARE\Microsoft\Command Processor\Autorun` (Check if commands are automatically run when `cmd.exe` starts – potential bypass).