Background Activity Montitor
The Background Activity Monitor and Desktop Activity Monitor registry artifacts provide evidence of execution on an endpoint. It is only available in Windows 10 and Windows 11.
Analysis Value
Security IdentifierLast ExecutedExecution AccountEvidence of ExecutionFile PathOperating System Availability
Windows 11
β
Server 2019
β
Windows 10
β οΈ
Server 2016
β
Windows 8
β
Server 2012
β
Windows 7
β
Server 2008
β
Windows Vista
β
Server 2003
β
Windows XP
β
Background Activity Montitor is only available for Windows 10 systems with update 1709 (Redstone 3) and later.
Artifact Location(s)
Newer Windows 10 Systems
File:
%SystemRoot%\System32\config\SYSTEMBAM:
SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\state\UserSettings\{USER_SID}DAM:
SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\state\UserSettings\{USER_SID}
Older Windows 10 Systems
File:
%SystemRoot%\System32\config\SYSTEMBAM:
SYSTEM\{CURRENT_CONTROL_SET}\Services\bam\UserSettings\{USER_SID}DAM:
SYSTEM\{CURRENT_CONTROL_SET}\Services\dam\UserSettings\{USER_SID}
Newer Windows 10 Systems
BAM:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\state\UserSettings\{USER_SID}DAM:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\state\UserSettings\{USER_SID}
Older Windows 10 Systems
BAM:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{USER_SID}DAM:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\dam\UserSettings\{USER_SID}
Artifact Parsers
RegistryExplorer (Eric Zimmerman)
Artifact Interpretation
The Execution Time as seen in RegistryExplorer represents the most recent time of execution for the binary in UTC. The Program field represents the full path the the binary.
In the event that you are parsing or interpreting this artifact manually, the following CyberChef recipe can be used to convert Windows FILETIME timestamps to a date and time:
[
{ "op": "From Hex",
"args": ["Auto"] },
{ "op": "To Hex",
"args": ["None", 0] },
{ "op": "Windows Filetime to UNIX Timestamp",
"args": ["Milliseconds (ms)", "Hex (little endian)"] },
{ "op": "From UNIX Timestamp",
"args": ["Milliseconds (ms)"] }
]Console applications that are launched through a command line interface will not have BAM/DAM entries.
Analysis Tips
Suspicious Execution Locations
Search for BAM entries for executables that reside in suspicious locations, such as:
User
DownloadsdirectoriesOther user profile directories such as
DesktoporDocumentsC:\TempC:\PerfLogs
Example: Execution Timestamp
Path:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\bam\State\UserSettings\S-1-5-21-3471133136-2963561160-3931775028-1001Key:
\Device\HarddiskVolume4\Program Files\PuTTY\putty.exeType:
REG_BINARYValue:
60-9F-62-A8-FB-6C-D9-01-00-00-00-00-00-00-00-00-00-00-00-00-02-00-00-00
The 64-Bit FILETIME timestamp 60-9F-62-A8-FB-6C-D9-01 resolves to Wed 12 April 2023 05:00:10 UTC, which is the last known execution of the binary putty.exe.
This example was produced on Windows 10, Version 10.0.19044 Build 19044
Last updated