Maurice posted on LinkedIn recently about one of the FeatureUsage Registry key subkeys; specifically, the AppSwitched subkey. Being somewhat, maybe even only slightly aware of the Windows Registry, I read the post with casual, even mild interest.
Someone posted recently that cybersecurity runs on caffeine and sarcasm…I’ve got my cup of coffee right in front of me, and I’ve placed the sarcasm in front of us all. 😉
The RegRipper featureusage plugin was originally written in 2019, and includes a reference to a Crowdstrike blog post written in 2020, authored by Jai Minton (who is now with Huntress). The figure to the right was captured from the blog post, and provides a succinct description of how the AppSwitched key is populated. Specifically, Jai stated, “This key provides the number of times an application switched focus (was left-clicked on the taskbar).” This helps us understand a bit more about process execution, as for the application to exist on the taskbar and to have it’s focus switched, that application has to have been executed.
After finding and reading the blog post, I wrote a brief blog post here on this blog that ment
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: