HeapLeakDetection, specifically the registry key at HKLM\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications, is a powerful forensic artifact for investigating suspicious executables. This key tracks programs that Windows RADAR (Runtime Application Self-healing and Detection At Runtime) flags for memory leak detection.
- ๐ Registry Location:
HKLM\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications - ๐ Contains subkeys for each detected executable
- โฐ Records
LastDetectionTimefor each detection event - ๐ Continuously monitors system-wide memory behavior
According to research by Harel Segev, RADAR monitors processes based on several factors:
- ๐ Commits at least 5% of total physical memory (CommitThreshold)
- โฑ๏ธ Checks processes at regular intervals (TimerInterval)
- ๐ Maintains detection history to prevent duplicate entries
This repository includes a C++ program that demonstrates how to trigger Windows RADAR HeapLeakDetection:
- ๐พ Controlled memory allocation in configurable chunks
- ๐ Real-time allocation monitoring
- โก Optimized for RADAR detection
- ๐ Continuous execution until detection
- Clone this repository
- Build using provided build script or Visual Studio
- Run as administrator
- Monitor registry for detection entry
As highlighted by security researchers, this artifact provides:
- ๐ต๏ธ Alternative evidence source when traditional artifacts are missing
- โฐ Temporal correlation for suspicious executables
- ๐งช Behavioral insights into application memory patterns
- ๐ก๏ธ Resilience against common anti-forensic techniques
Contributions are welcome! Please feel free to submit pull requests or open issues for improvements.