Report an incident

Get 24/7 incident response assistance from our global team

Talk to sales

Just fill out the form, and our representative will contact you soon.

Join the Cybercrime Fighters Club

Please review the following rules before submitting your application:

1. Our main objective is to foster a community of like-minded individuals dedicated to combatting cybercrime and who have never engaged in Blackhat activities.

2. All applications must include research or a research draft. You can find content criteria in the blog. Please provide a link to your research or research draft using the form below.

← Blog

Reconstructing User Activity for Forensics with FeatureUsage

Useful feature that can help forensic analysts and incident responders to reconstruct user activities.

April 28, 2020 · min to read · Digital Forensics & Incident Response
Digital Forensics
FeatureUsage

I’m sure, you already heard about some forensic-friendly features introduced in Windows 10. A good example is Windows 10 Timeline. Recently I spotted another useful feature that can help forensic analysts and incident responders to reconstruct user activities. It’s called FeatureUsage.

So what does it track and where are forensic artifacts located? It tracks events associated with Task Bar, for example, when a user runs an application pinned to it. FeatureUsage artifacts are located in NTUSER.DAT registry file under the following key:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage

You can find a few subkeys under this key:

FeatureUsage subkeys

Figure 1. FeatureUsage subkeys

Let’s look inside every subkey:

AppBadgeUpdated. This subkey keeps track of badge updates for applications on Task Bar. For example, if you use Telegram and get a new message, you can see a red icon on application’s badge with number of new messages. So here we can find application’s path and the number of badge updates:

The number of FeatureUsage Telegram badge updates

Figure 2. The number of Telegram badge updates

AppLaunch. This subkey logs launches of applications, which are pinned to Task Bar. Of course, not every user pins applications, but if he or she does, you’ll have a good amount of digital evidence:

FeatureUsage Microsoft Edge launch count

Figure 3. Microsoft Edge launch count

AppSwitched. This subkey logs left clicks on Task Bar applications when a user wants to switch from one to another. This subkey is most interesting from a forensic perspective as it may contain a great number of records, which may be the source of evidence of execution:

Evidence of Mimikatz execution - FeatureUsage

Figure 4. Evidence of Mimikatz execution

ShowJumpView. This subkey tracks right clicks on Task Bar applications. A user may do it, for example, to check or open recent files. This may be an additional artifact pointing to most frequently used applications:

ShowJumpList data for Microsoft Word - FeatureUsage

Figure 5. ShowJumpList data for Microsoft Word

TrayButtonClicked. This subkey tracks left clicks on the following Task Bar items: Clock button, Start button, Notification Center button and Search box. As in previous examples, you can see the number of clicks on each item:

The number of clicks on Task Bar items - FeatureUsage

Figure 6. The number of clicks on Task Bar items

Windows registry has always been a good source of digital evidence, and it’s always good to have another useful artifact source it may offer. There are many different sources of evidence of execution, but it’s always not enough, because you’ll never know where you can find the key artifact at your next forensic examination or incident response engagement.

Group-IB Digital Forensics

Get immediate assistance from the largest Forensic Laboratory in Eastern Europe

Learn more
More posts
Multi-Stage Phishing Kit
November 13, 2025
Uncovering a Multi-Stage Phishing Kit Targeting Italy’s Infrastructure
November 5, 2025
Ghosts in /proc: Manipulation and Timeline Corruption
October 31, 2025
Detecting the NPM Supply Chain Compromise Before It Spread
View all
Table of contents