| Plugin | Hive | What it gives you |
|---|---|---|
| amcache | AmCache | Executed programs |
| appcompatcache | SYSTEM | ShimCache execution evidence |
| shimcache | SYSTEM | File execution traces |
| bam | SYSTEM | Background Activity Monitor execution |
| userassist | NTUSER.DAT | GUI-launched programs |
| muicache | NTUSER.DAT / USRCLASS | Executed EXEs |
| recentapps | NTUSER.DAT | Recent app launches |
| featureusage | NTUSER.DAT | App usage counters |
| syscache | SysCache.hve | Execution evidence |
| prefetch | SYSTEM | Prefetch config only (not PF contents) |
| comdlg32 | NTUSER.DAT | Open/save dialog files |
| recentdocs | NTUSER.DAT | Opened documents |
| jumplistdata | NTUSER.DAT | Jump list references |
| mmc | NTUSER.DAT | Opened MMC files |
| runmru | NTUSER.DAT | Run dialog commands |
BLUE TEAM / DFI / ARTEFACT / WINDOWS / REGISTRY / RegRipper