# Background Activity Montitor The Background Activity Monitor and Desktop Activity Monitor registry artifacts provide evidence of execution on an endpoint. It is only available in Windows 10 and Windows 11. ## Analysis Value {% content-ref url="/pages/LRJZQZsAd12i4mDfGwuK" %} [Security Identifier](/windows-forensics/artifacts-by-activity/account-activity/security-identifier.md) {% endcontent-ref %} {% content-ref url="/pages/6Pmka7uFtKElhrhDdFDv" %} [Last Executed](/windows-forensics/artifacts-by-activity/execution/last-executed.md) {% endcontent-ref %} {% content-ref url="/pages/7PsIbY4z0aa7D6FfSddw" %} [Execution Account](/windows-forensics/artifacts-by-activity/execution/execution-account.md) {% endcontent-ref %} {% content-ref url="/pages/vnDLfD9RBoVh5UOGGhiw" %} [Evidence of Execution](/windows-forensics/artifacts-by-activity/execution/evidence-of-execution.md) {% endcontent-ref %} {% content-ref url="/pages/V3cDcDJogcr4slquHEzB" %} [File Path](/windows-forensics/artifacts-by-activity/file-activity/file-path.md) {% endcontent-ref %} ## Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ❌ | | Windows 10 | ⚠️ | Server 2016 | ❌ | | Windows 8 | ❌ | Server 2012 | ❌ | | Windows 7 | ❌ | Server 2008 | ❌ | | Windows Vista | ❌ | Server 2003 | ❌ | | Windows XP | ❌ | | | {% hint style="warning" %} Background Activity Montitor is only available for Windows 10 systems with update 1709 (Redstone 3) and later. {% endhint %} ## Artifact Location(s) {% tabs %} {% tab title="🔌 Offline System" %} Newer Windows 10 Systems * File: `%SystemRoot%\System32\config\SYSTEM` * BAM: `SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\state\UserSettings\{USER_SID}` * DAM: `SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\state\UserSettings\{USER_SID}` Older Windows 10 Systems * File: `%SystemRoot%\System32\config\SYSTEM` * BAM: `SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\UserSettings\{USER_SID}` * DAM: `SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\UserSettings\{USER_SID}` {% endtab %} {% tab title="🔋 Live System" %} Newer Windows 10 Systems * BAM: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings\{USER_SID}` * DAM: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\state\UserSettings\{USER_SID}` Older Windows 10 Systems * BAM: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{USER_SID}` * DAM: `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\UserSettings\{USER_SID}` {% endtab %} {% endtabs %} {% hint style="info" %} For more information on determining the correct `CurrentControlSet`, visit [Select Registry Key](/windows-forensics/artifacts-by-type/registry-artifacts/select.md) {% endhint %} ## Artifact Parsers * RegistryExplorer (Eric Zimmerman) ## Artifact Interpretation The `Execution Time` as seen in RegistryExplorer represents the most recent time of execution for the binary in UTC. The `Program` field represents the full path the the binary. {% hint style="info" %} Based on testing, this execution time is written upon process creation, and again on termination. {% endhint %} In the event that you are parsing or interpreting this artifact manually, the following CyberChef recipe can be used to convert Windows FILETIME timestamps to a date and time: ``` [ { "op": "From Hex", "args": ["Auto"] }, { "op": "To Hex", "args": ["None", 0] }, { "op": "Windows Filetime to UNIX Timestamp", "args": ["Milliseconds (ms)", "Hex (little endian)"] }, { "op": "From UNIX Timestamp", "args": ["Milliseconds (ms)"] } ] ``` {% hint style="warning" %} Console applications that are launched through a command line interface will not have BAM/DAM entries. {% endhint %} ## Analysis Tips {% hint style="success" %} #### Suspicious Execution Locations Search for BAM entries for executables that reside in suspicious locations, such as: * User `Downloads` directories * Other user profile directories such as `Desktop` or `Documents` * `C:\Temp` * `C:\PerfLogs` {% endhint %} ## Example: Execution Timestamp * Path: `HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-3471133136-2963561160-3931775028-1001` * Key: `\Device\HarddiskVolume4\Program Files\PuTTY\putty.exe` * Type: `REG_BINARY` * Value: `60-9F-62-A8-FB-6C-D9-01-00-00-00-00-00-00-00-00-00-00-00-00-02-00-00-00` The 64-Bit FILETIME timestamp `60-9F-62-A8-FB-6C-D9-01` resolves to `Wed 12 April 2023 05:00:10 UTC`, which is the last known execution of the binary `putty.exe`. This example was produced on Windows 10, Version 10.0.19044 Build 19044 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/bam-dam.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.