AboutDFIR.com – The Definitive Compendium Project
Digital Forensics & Incident Response

Blog Post

New Windows 11 Pro (22H2) Evidence of Execution Artifact!

By: Andrew Rathbun and Lucas Gonzalez

Background

In the last week of December 2022, on the Digital Forensics Discord Server, some discussion was brought up by a member in the #computer-forensics channel asking if anyone knew a Windows 11 folder path of interest, linked here. The location in question is C:\Windows\appcompat\pca. This may look like a familiar folder path, as the Amcache resides in C:\Windows\appcompat\Programs\Amcache.hve.

What is PCA?

PCA stands for Program Compatibility Assistant, which has been around since at least Windows 8, as seen here. However, the artifacts covered in this blog post haven’t always existed. PCA has a Windows service named pcasvc, which one can query using sc query pcasvc. As long as this service is running, the artifacts covered in this blog post will populate.

For example, running sc query pcasvc provides the following output:

SERVICE_NAME: pcasvc
TYPE : 30 WIN32
STATE : 4 RUNNING
(STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
WIN32_EXIT_CODE : 0 (0x0)
SERVICE_EXIT_CODE : 0 (0x0)
CHECKPOINT : 0x0
WAIT_HINT : 0x0

When did this artifact show up?

Utilizing the VanillaWindowsReference GitHub repository, we can see when this specific folder path appears in various Windows builds. If we look at the CSV for Windows 11 21H2 (November 2022 build), we don’t see evidence of this path. However, if we look at the CSV for Windows 11 22H2 (November 2022 build), we can see evidence of this path. This path appears as new as of the 22H2 version of Windows 11 Pro.

Location

Within the C:\Windows\appcompat\pca folder, there appear to be 3 .txt files.

C:\Windows\appcompat\pca\PcaAppLaunchDic.txt

C:\Windows\appcompat\pca\PcaGeneralDb0.txt

C:\Windows\appcompat\pca\PcaGeneralDb1.txt

Sample Artifacts

The DFIRArtifactMuseum contains a sample of the above .txt files located within C:\Windows\appcompat\pca. The sample artifacts can be found here.

Deep Dive

A research VM was created with Windows 11 Pro (22H2 – 22621.963) installed to generate artifacts for this blog post.

PcaAppLaunchDic.txt

PcaAppLaunchDic.txt contains a file path and timestamp value pair of data which provides the last time of execution of a given application. For instance, a sample entry in this file looks like this:

C:\Program Files\Everything\Everything.exe|2022-12-28 16:06:24.212

Additionally, here’s a screenshot of the raw contents of PcaAppLaunchDic.txt:

Below is an example of the PcaAppLaunchDic.txt being updated in real-time upon execution of Everything.exe:

  

PcaGeneralDb0.txt

PcaGeneralDb0.txt provides the following information saved in a pipe-delimited format:

  • Runtime
  • Run status
  • Executable path
  • Description of the file
  • Software vendor
  • File version
  • Unknown Value (later determined to be ProgramId – thank you Costas!)
  • Exitcode value

Below is a sample entry from this file:

2022-05-12 21:32:42.556|2|%USERPROFILE%\appdata\local\githubdesktop\app-2.9.9\resources\app\git\cmd\git.exe|git|the git development community|2.32.0.windows.2|0006ea6a66e62a303f7b974dc4952647a80300000904|Abnormal process exit with code 0x80

Additionally, here’s a screenshot of the raw contents of PcaGeneralDb0.txt:

Regarding the Unknown Value, we’ve confirmed that it’s not a hash value, as seen below:

However, more research will need to be done to further understand what appears to be a unique value.

UPDATE: thank you to Costas K for sharing the following information reference this Unknown Value:

TL;DR, the Unknown Value appears to be the ProgramId as recorded in the Amcache! 

PcaGeneralDb1.txt

In the VM used for data generation for this blog post, a clean install of Windows 11 Pro did not populate PcaGeneralDb1.txt. However, on my personal computer, this file was populated but nowhere near as much as PcaGeneralDb0.txt.

Compare the file sizes of PcaGeneralDb0.txtand PcaGeneralDb1.txt.

Additionally, here’s a screenshot of the raw contents of PcaGeneralDb1.txt from my personal computer:

KAPE Target

A KAPE Target exists here. However, these paths may be moved if later research determines the most appropriate (i.e., bundled in with Amcache Target, etc).

Tools to Parse

I wrote a PowerShell 5 script called PCAParser, which can be found here. Additionally, Costas K wrote a tool and did more research that can be found here.

Key Takeaways

PcaAppLaunchDic.txt appears to provide another reliable source of evidence of execution, similar to Prefetch, Amcache, etc, whereas more research needs to be conducted on the potential forensic value of PcaGeneralDb0.txt and PcaGeneralDb1.txt.

Future Research

We did some brief research using ProcMon and tested the execution of Everything.exe, but had noticed that PcaAppLaunchDir.txt appears to be queried even when the topmost window changes, similar to some of the artifacts tracked in EventTranscript.db. This should be looked into further. To assist with those efforts, I’m providing a GIF of my research process using ProcMon as well as CSV output from that same session. Here is a GIF I couldn’t correctly implement in WordPress to illustrate this process. Lastly, here is the ProcMon output from the GIF above: ProcMonAppCompatPCA.

The Amcache should be cross-referenced to see if there’s any overlap in these .txt files, which could demonstrate a stronger link to the Amcache than what is presently understood. 

Conclusion

This artifact appears to be one of the first new artifacts found in Windows 11 since it was released in 2021. More research will need to be conducted to determine if there’s more value beyond a reliable last execution timestamp for a given application. Additionally, more research will need to be conducted on what types of applications are logged in these locations, i.e., GUI vs. CLI applications. More to come, and stay tuned!

Special Thanks

A special thank you to my co-author Lucas Gonzalez for discovering this artifact and bringing it up to the community in the Digital Forensics Discord Server, which ultimately sparked the idea for this blog post! Also, thank you to Costas K for helping with this article and to Phill Moore for providing similarly helpful feedback!

Related Posts