Tracing Registry Keys
Tracing registry keys can be used to indicate that a program has initiated a network connection leveraging the Windows Remote Access Server (RAS) through the rasapi32.dll
and rasman.dll
libraries.
Analysis Value
pageEvidence of ExecutionpageFirst ExecutedpageEvidence of Network ActivityOperating System Availability
Major Version | Support | Major Version | Support |
---|---|---|---|
Windows 11 | ✅ | Server 2019 | ✅ |
Windows 10 | ✅ | Server 2016 | ✅ |
Windows 8 | ✅ | Server 2012 | ✅ |
Windows 7 | ✅ | Server 2008 | ✅ |
Windows Vista | ❓ | Server 2003 | ❓ |
Windows XP | ❌ |
Artifact Location(s)
File:
%SystemRoot%\System32\Config\SOFTWARE
Key:
SOFTWARE\Microsoft\Tracing
Artifact Parsers
RegistryExplorer (Eric Zimmerman)
Artifact Interpretation
Within the SOFTWARE\Microsoft\Tracing
key, there may be multiple subkeys with the following name formats of interest:
{EXECUTABLE_FILENAME}_RASMANCS
{EXECUTABLE_FILENAME}_RASAPI32
These filenames will not include the executable extension .exe
.
The Last Write Timestamp of the registry key provides the first time an executable has loaded rasapi32.dll
and rasman.dll
in order to establish a remote network connection, typically to download a file.
Subsequent activity of this nature will not update the Last Write Timestamp of the registry key.
Last updated