Tracing Registry Keys

Tracing registry keys can be used to indicate that a program has initiated a network connection leveraging the Windows Remote Access Server (RAS) through the rasapi32.dll and rasman.dll libraries.

Analysis Value

pageEvidence of Execution pageFirst Executed pageEvidence of Network Activity

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	✅
Windows 10	✅	Server 2016	✅
Windows 8	✅	Server 2012	✅
Windows 7	✅	Server 2008	✅
Windows Vista	❓	Server 2003	❓
Windows XP	❌

Major Version

Support

Major Version

Support

Windows 11

✅

Server 2019

✅

Windows 10

✅

Server 2016

✅

Windows 8

✅

Server 2012

✅

Windows 7

✅

Server 2008

✅

Windows Vista

❓

Server 2003

❓

Windows XP

❌

Artifact Location(s)

File: %SystemRoot%\System32\Config\SOFTWARE
Key: SOFTWARE\Microsoft\Tracing

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing

Artifact Parsers

RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the SOFTWARE\Microsoft\Tracing key, there may be multiple subkeys with the following name formats of interest:

{EXECUTABLE_FILENAME}_RASMANCS
{EXECUTABLE_FILENAME}_RASAPI32

These filenames will not include the executable extension .exe.

The Last Write Timestamp of the registry key provides the first time an executable has loaded rasapi32.dll and rasman.dll in order to establish a remote network connection, typically to download a file.

Subsequent activity of this nature will not update the Last Write Timestamp of the registry key.

Last updated 6 months ago