Artifacts

Registry: App Paths

Posted by:

Author Name
Matt

Artifact Name
App Paths

Artifact/Program Version
Windows Specific

Description
An application that is installed for all users of the computer can be registered under the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths registry key. In Windows 7 and later, an application that is installed for only one user can be registered under the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths registry key.

The entries found under App Paths are used primarily for the following purposes:

  • To map an application’s executable file name to that file’s fully qualified path.
  • To append information to the PATH environment variable on a per-application, per-process basis.

If the name of a subkey of App Paths matches the file name, the Shell performs two actions:

  • The (Default) entry is used as the file’s fully-qualified path.
  • The Path entry for that subkey is appended to the PATH environment variable of that process. If this is not required, the Path value can be omitted.

Registry Keys
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\App Paths

Research Links
http://msdn.microsoft.com/en-us/library/ee872121(VS.85).aspx

Forensic Programs of Use
RegRipper

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment