BAM and DAM in Windows Forensics: Tracking Executed Applications

Windows keeps track of many user activities, and one of the lesser-known but valuable forensic artifacts is the Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM). These registry keys store evidence of executed programs, making them useful for tracking user activity, malware execution, and forensic investigations.

-----------------------------------------------------------------------------------------------------------

What Are BAM and DAM?

🔹 Background Activity Moderator (BAM)

• First introduced in Windows 10 (build 1709) and still present in Windows 11.

• Stores the full path of an executable and the last execution timestamp.

• Designed to regulate background activity to improve battery life and system efficiency.

• Entries expire after seven days if the program is inactive.

  
  

🔹 Desktop Activity Moderator (DAM)

• Functions similarly to BAM but focuses on desktop applications.

• Primarily found on devices using Modern Standby, a power management feature that limits desktop app activity when the screen is off.

• Less commonly found on desktop PCs but can still appear on some systems.

-----------------------------------------------------------------------------------------------------------

Where Are BAM and DAM Stored in the Registry?

BAM and DAM data is recorded per user profile, meaning each user has their own set of logs.

SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}SYSTEM\CurrentControlSet\Services\Dam\UserSettings\{SID}

Each user’s data is stored under their Security Identifier (SID), so you must identify the correct SID before extracting execution records.

-----------------------------------------------------------------------------------------------------------

What Data Do BAM and DAM Store?

Each BAM/DAM entry contains:

✅ Full Path of Executable – The exact location of the program that was run.

✅ Last Execution Timestamp – A 64-bit Windows FILETIME timestamp, showing when the program was last executed.

✅ User-Specific Data – Entries are tied to individual users, identified by their SID.

-----------------------------------------------------------------------------------------------------------

Why Is BAM/DAM Important in Digital Forensics?

✅ 1. Even if a user deletes an application, BAM may still contain a record of its execution for up to seven days.

✅ 2. If malware ran on a system, BAM/DAM could provide evidence of when and where it was executed. However, malware running from USB drives or network shares will not appear in BAM.

✅ 3. Analysts can determine which programs a user interacted with, when they were used, and whether any unauthorized applications were executed.

• Prefetch files 

• UserAssist registry

• ShimCache & AmCache artifacts

-----------------------------------------------------------------------------------------------------------

Limitations of BAM and DAM

⚠️ Entries Are Not Permanent – BAM records are deleted after seven days of inactivity.

⚠️ No Records for Network/USB Executions – Programs executed from removable drives or network shares are not logged in BAM.

⚠️ Timestamps May Be Slightly Off – Execution times in BAM may differ by a few minutes from actual program launch times.

-----------------------------------------------------------------------------------------------------------

Final Thoughts: A Simple Yet Powerful Execution Artifact

The BAM and DAM registry keys provide a quick way to track recently executed applications on a Windows system. While entries only last for seven days, they can still offer crucial insights into user activity, malware infections, and forensic investigations.

----------------------------------------Dean---------------------------------------------------