Tracing Registry Keys

Tracing registry keys can be used to indicate that a program has initiated a network connection leveraging the Windows Remote Access Server (RAS) through the rasapi32.dll and rasman.dll libraries.

Analysis Value

Evidence of ExecutionFirst ExecutedEvidence of Network Activity

Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

βœ…

Server 2019

βœ…

Windows 10

βœ…

Server 2016

βœ…

Windows 8

βœ…

Server 2012

βœ…

Windows 7

βœ…

Server 2008

βœ…

Windows Vista

❓

Server 2003

❓

Windows XP

❌

Artifact Location(s)

  • File: %SystemRoot%\System32\Config\SOFTWARE

  • Key: SOFTWARE\Microsoft\Tracing

Artifact Parsers

  • RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the SOFTWARE\Microsoft\Tracing key, there may be multiple subkeys with the following name formats of interest:

  • {EXECUTABLE_FILENAME}_RASMANCS

  • {EXECUTABLE_FILENAME}_RASAPI32

These filenames will not include the executable extension .exe.

The Last Write Timestamp of the registry key provides the first time an executable has loaded rasapi32.dll and rasman.dll in order to establish a remote network connection, typically to download a file.

Last updated