Edit current collections for amcache and usrclass

Question

Edit current collections for amcache and usrclass

JorahTheExplorer opened this issue 4 years ago · 3 comments

Hello, can we add the AMCache transaction logs to the windows.yaml file?

paths: ['%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG1']
paths: ['%%environ_systemroot%%\AppCompat\Programs\Amcache.hve.LOG2']

Also, current Usrclass.dat (and transaction logs) only collects the current user's usrclass and not the other user account's data. I'd propose a change to the path more in line with how NTuser.dat is collected, like the following:

- '%%users.userprofile%%\AppData\Local\Microsoft\Windows\UsrClass.dat'

Thank you for putting this together, it's extremely helpful

Answer 1 · 2020-07-20T04:36:28.000Z

Hello, can we add the AMCache transaction logs to the windows.yaml file?

Yes just propose changes in a PR.

Also, current Usrclass.dat (and transaction logs) only collects the current user's usrclass and not the other user account's data.

This is a limitation in your tool not in the definition.

Answer 2 · 2020-07-20T19:34:53.000Z

Thank you, I'll check my code.

Answer 3 · 2020-07-21T18:16:17.000Z

Thanks again!