Tracking Microphone and Camera Usage in Windows (Program Execution: CompatibilityAccessManager)

With more people working remotely than ever before, concerns about privacy and unauthorized access to microphones and webcams have grown. Windows now includes built-in tracking features that log when applications use these devices. This information is stored in the Windows Registry, making it a valuable forensic artifact for investigators.

Where Does Windows Store Microphone and Camera Usage Data?

Starting with Windows 10 (build 1903) and continuing in Windows 11, Microsoft introduced new Registry keys that log when applications access sensitive devices like microphones, webcams, and location services. These logs are stored in the following locations:

• For system-wide settings:

SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore

• For user-specific settings:

NTUSER\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore

Each of these Registry locations contains subkeys that track permissions and usage details for different system capabilities. The ones of most interest to forensic investigators are:

• microphone → Logs apps that accessed the microphone

• webcam → Tracks camera usage

• location → Monitors GPS or location data

How Windows Tracks Application Activity

Each application that requests access to the microphone or camera gets logged under these Registry keys. Microsoft applications (like Teams or Skype) are stored in dedicated keys, while other applications are grouped under a NonPackaged key.

Each application entry contains:

• Application Name and Path – The full path of the program that accessed the device

• LastUsedTimeStart – The timestamp when the application started using the microphone or camera

• LastUsedTimeStop – The timestamp when the application stopped using it

These timestamps are stored in Windows FILETIME format (a 64-bit timestamp). Investigators can convert these values into readable date and time formats to determine exactly when an app accessed the microphone or camera—and for how long.

Why This Data Matters in Forensic Investigations

This Registry data provides concrete evidence of microphone and camera activity, which can be useful in several scenarios:

1. Detecting Unauthorized Access

If a user suspects their microphone or webcam was activated without their knowledge, forensic analysts can check these keys to see if any suspicious applications accessed them.

2. Identifying Malware or Spyware

Not all applications that use the microphone or camera are legitimate. Malicious software that secretly records conversations or captures video might appear in these logs. If an unknown program shows up in the NonPackaged section or is running from an unusual location, it could be malware.

3. Investigating Insider Threats

In corporate investigations, these logs can help determine if an employee used unauthorized software for video conferencing or recorded private meetings.

4. Digital Evidence in Criminal Cases

If an attacker used a victim’s device to make calls, record video, or capture audio, these Registry logs could serve as key evidence, showing when and for how long the device was accessed.

Refer to the screenshot below—you can see that the activity was indeed logged. Pay special attention to the timestamp, which is recorded in UTC format.

Additionally, if you look closely, abive screenshot the logs also captured how long the session lasted, providing a detailed record of the event.

Final Thoughts: A Valuable Source of Digital Evidence

The CapabilityAccessManager Registry keys provide an excellent resource for tracking microphone and camera usage. Whether you’re investigating a privacy concern, looking for signs of malware, or gathering digital evidence in a forensic case, these logs offer valuable insights.

--------------------------------------------Dean=-----------------------------------------