# Tracing Registry Keys Tracing registry keys can be used to indicate that a program has initiated a network connection leveraging the Windows Remote Access Server (RAS) through the `rasapi32.dll` and `rasman.dll` libraries. ## Analysis Value {% content-ref url="/pages/vnDLfD9RBoVh5UOGGhiw" %} [Evidence of Execution](/windows-forensics/artifacts-by-activity/execution/evidence-of-execution.md) {% endcontent-ref %} {% content-ref url="/pages/NwFJ38aWYFJ7FKQuKQMQ" %} [First Executed](/windows-forensics/artifacts-by-activity/execution/first-executed.md) {% endcontent-ref %} {% content-ref url="/pages/vyOW1UW4D6MtZx1ltSwW" %} [Evidence of Network Activity](/windows-forensics/artifacts-by-activity/network-activity/evidence-of-network-activity.md) {% endcontent-ref %} ## Operating System Availability | Major Version | Support | Major Version | Support | | ------------- | ------- | ------------- | ------- | | Windows 11 | ✅ | Server 2019 | ✅ | | Windows 10 | ✅ | Server 2016 | ✅ | | Windows 8 | ✅ | Server 2012 | ✅ | | Windows 7 | ✅ | Server 2008 | ✅ | | Windows Vista | ❓ | Server 2003 | ❓ | | Windows XP | ❌ | | | ## Artifact Location(s) {% tabs %} {% tab title="🔌 Offline System" %} * File: `%SystemRoot%\System32\Config\SOFTWARE` * Key: `SOFTWARE\Microsoft\Tracing` {% endtab %} {% tab title="🔋 Live System" %} * `HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing` {% endtab %} {% endtabs %} ## Artifact Parsers * RegistryExplorer (Eric Zimmerman) ## Artifact Interpretation Within the `SOFTWARE\Microsoft\Tracing` key, there may be multiple subkeys with the following name formats of interest: * `{EXECUTABLE_FILENAME}_RASMANCS` * `{EXECUTABLE_FILENAME}_RASAPI32` These filenames will not include the executable extension `.exe`. The Last Write Timestamp of the registry key provides the first time an executable has loaded `rasapi32.dll` and `rasman.dll` in order to establish a remote network connection, typically to download a file. {% hint style="warning" %} Subsequent activity of this nature will not update the Last Write Timestamp of the registry key. {% endhint %} --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://psmths.gitbook.io/windows-forensics/artifacts-by-type/registry-artifacts/tracing-keys.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.