Analyzing program execution
This article is intended to give a high-level overview of analyzing program execution on the various operating systems. A typical operating system has direct and indirect program executions indicators.
- direct indicators; these are artifacts of sub systems related to "executing" a program on the operating system, e.g. a Prefetch file.
- indirect indicators; these are artifacts that the program itself has left while running, e.g. a MRU Registry key.
This article focuses on the direct program execution indicators.
Linux
Mac OS X
Windows
See Also
Linux
Mac OS X
Windows
- Program crashes
- Windows Error Reporting (WER)
- Minidumps
- Services and drivers
- UserAssist Registry key
- Windows Application Compatibility
- RecentFileCache.bcf
- Amcache.hve
- AppCompatCache Registry key
- Windows Memory Analysis
- Hibernation file
- Page file
- Windows Event Log
- Windows PC Accelerators
- Prefetch
- ReadyBoot
- ReadyBoost
- ReadyDrive
- SuperFetch
- Run/RunOnce Registry keys (and equivalents)
- Windows Task Scheduler
- Job files
- TaskCache Registry key
- XML task/job files (C:\Windows\System32\Tasks, C:\Windows\SysWOW64\Tasks)
Other
Note that third party tooling like "Anti-Virus" or Host-based Intrusions Detection Systems (HIDS) can be used to track program executions. This will vary per product.
External Links
Windows
- HowTo: Determine Program Execution, by Harlan Carvey, July 06, 2013
- It Is All About Program Execution, by Corey Harrell, January 14, 2014