BAM/DAM (Background/Desktop Activity Moderator)

WindowsExecution EvidenceDisk Image

Location

SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\<SID> (Windows 10 1709+)

Description

Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) registry keys recording executable paths with their last execution UTC timestamp, attributed to specific user SIDs.

Forensic Value

BAM/DAM provides user-attributable execution evidence with timestamps, filling a gap left by Prefetch (which does not record the executing user) and AmCache (which may not have accurate execution times). Each entry links a specific executable path to the user SID that ran it and the UTC time of last execution. This is particularly valuable for identifying which user account was used to run attacker tools on shared systems.

Tools Required

KAPERegistry Explorer (Eric Zimmerman)RegRipperRECmd (Eric Zimmerman)

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target RegistryHives

Registry Explorer

Open SYSTEM hive in Registry Explorer and navigate to ControlSet001\Services\bam\State\UserSettings

RegRipper

rip.exe -r C:\output\SYSTEM -p bam

RECmd

RECmd.exe -f C:\output\SYSTEM --kn "ControlSet001\Services\bam\State\UserSettings" --csv C:\output --csvf BAM.csv

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1059T1204.002

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote