The Windows Forensic Journey — “FeatureUsage”

In general, “FeatureUsage” is a registry key which is stored as part of the user’s profile. This means that the information is stored for each in the NTUSER.DAT file (https://medium.com/@boutnaru/the-windows-concept-journey-ntuser-dat-ecdba539b349). The location of the registry key is: “HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage” — as shown below. It is created only when a user performs an interactive login which can be locally or RDP based (https://www.group-ib.com/blog/featureusage/).

Overall, the “FeatureUsage” key has a QWORD value called “KeyCreationTime” which can give us the first time the user performed an interactive logon — as shown in the screenshot below. The data is stored in the following format: “number of 100-nanosecond intervals that have passed since January 1, 1601 UTC”. We can convert it from “Window Filetime” to “Unix Timestamp” and from that to a valid datetime format which is human readable (https://www.crowdstrike.com/blog/how-to-employ-featureusage-for-windows-10-taskbar-forensics/). This can be done using “CyberChef” (https://gchq.github.io/CyberChef/).

Lastly, the “FeatureUsage” registry key has five sub-keys: “AppBadgeUpdated”, “AppLaunch”, “AppSwitched”, “ShowJumpView” and “TrayButtonClicked” — as shown in the screenshot below. Each of those sub-keys provides information about executables that were launched on the system — more information about each one of them in future writeups.

See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.