The Key to Switching Apps

The video examines the Windows registry key AppSwitched, located under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage. This key resides in each user’s NTUSER.DAT hive and records how often a user left‑clicks an application’s taskbar icon to bring it to the foreground.

AppSwitched stores a simple DWORD counter for each executable, incrementing only on taskbar clicks—not on Alt‑Tab switches. The key lacks timestamps or a most‑recent‑used list; the only temporal clue is the subkey’s last‑write timestamp, which indicates the latest possible activity.

The presenter demonstrates the behavior with Notepad: the counter rises from 81 to 82 after a left‑click, while Alt‑Tab actions leave it unchanged. He also notes related keys such as AppBadgeUpdated and AppLaunch, though the focus remains on AppSwitched’s unique insight into deliberate user interaction.

For digital forensics, AppSwitched fills gaps when conventional execution artifacts are missing or have been cleared. It ties interactive usage to a specific user account, aiding timeline reconstruction and strengthening evidence of purposeful activity.