The Key to Switching Apps
Why It Matters
AppSwitched provides a reliable indicator of user‑initiated application activity, enabling investigators to reconstruct behavior even when standard execution logs are absent, thereby enhancing forensic accuracy.
Key Takeaways
- •AppSwitched counts taskbar clicks, not Alt‑Tab switches for users.
- •Values are DWORD counters without timestamps or MRU ordering.
- •Only the subkey’s last write time provides temporal context.
- •Helps attribute interactive application use to specific user accounts.
- •Useful forensic artifact when traditional execution logs are missing.
Summary
The video examines the Windows registry key AppSwitched, located under HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage. This key resides in each user’s NTUSER.DAT hive and records how often a user left‑clicks an application’s taskbar icon to bring it to the foreground.
AppSwitched stores a simple DWORD counter for each executable, incrementing only on taskbar clicks—not on Alt‑Tab switches. The key lacks timestamps or a most‑recent‑used list; the only temporal clue is the subkey’s last‑write timestamp, which indicates the latest possible activity.
The presenter demonstrates the behavior with Notepad: the counter rises from 81 to 82 after a left‑click, while Alt‑Tab actions leave it unchanged. He also notes related keys such as AppBadgeUpdated and AppLaunch, though the focus remains on AppSwitched’s unique insight into deliberate user interaction.
For digital forensics, AppSwitched fills gaps when conventional execution artifacts are missing or have been cleared. It ties interactive usage to a specific user account, aiding timeline reconstruction and strengthening evidence of purposeful activity.
Comments
Want to join the conversation?
Loading comments...