Tracing Registry Keys

Tracing registry keys can be used to indicate that a program has initiated a network connection leveraging the Windows Remote Access Server (RAS) through the rasapi32.dll and rasman.dll libraries.

Analysis Value

pageEvidence of ExecutionpageFirst ExecutedpageEvidence of Network Activity

Operating System Availability

Major VersionSupportMajor VersionSupport

Windows 11

Server 2019

Windows 10

Server 2016

Windows 8

Server 2012

Windows 7

Server 2008

Windows Vista

Server 2003

Windows XP

Artifact Location(s)

  • File: %SystemRoot%\System32\Config\SOFTWARE

  • Key: SOFTWARE\Microsoft\Tracing

Artifact Parsers

  • RegistryExplorer (Eric Zimmerman)

Artifact Interpretation

Within the SOFTWARE\Microsoft\Tracing key, there may be multiple subkeys with the following name formats of interest:



These filenames will not include the executable extension .exe.

The Last Write Timestamp of the registry key provides the first time an executable has loaded rasapi32.dll and rasman.dll in order to establish a remote network connection, typically to download a file.

Subsequent activity of this nature will not update the Last Write Timestamp of the registry key.

Last updated