TaskBar FeatureUsage: Tracking executed Applications

Windows keeps detailed records of user interactions with the taskbar and GUI applications, but one of the most overlooked forensic artifacts is the FeatureUsage registry key. Introduced in Windows 10 (build 1903), this key tracks which applications were launched, how often they were used, and even how users interacted with the taskbar.

------------------------------------------------------------------------------------------------------------

What Is FeatureUsage?

FeatureUsage tracks taskbar-related user interactions, providing insight into application usage patterns, pinned shortcuts, notifications, and taskbar clicks.

Unlike some artifacts that get erased when a program is uninstalled, FeatureUsage data persists even after an application is removed. This makes it an excellent tool for investigating deleted applications like privacy cleaners, VPN clients, or unauthorized chat software.

What FeatureUsage Can Reveal:

✅ How often an application was launched (even if it was later uninstalled).

✅ Which applications were focused (active window) the most.

✅ How often the user interacted with the taskbar.

✅ Which notifications were most frequently displayed.

✅ How often the user right-clicked an application to access Jump Lists.

------------------------------------------------------------------------------------------------------------

Where Is FeatureUsage Stored in the Registry?

The FeatureUsage key is located in:

NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\FeatureUsage

Since this key is tied to individual user profiles, it exists within each user's NTUSER.DAT file.

-----------------------------------------------------------------------------------------------------------

Key Subkeys in FeatureUsage

The most valuable subkeys in FeatureUsage for forensic analysis are:

1️⃣ AppLaunch (Pinned App Execution Tracking)

• Tracks applications pinned to the taskbar and how often they were launched via the pinned shortcut.

• Even if an application is unpinned, the execution count remains.

• Stores full file paths, making it useful for identifying programs installed in unusual locations (e.g., malware hiding in unexpected directories).

• If an application was pinned, it indicates the user was familiar with it and used it regularly.

• Execution counts help determine the most-used applications.

• Deleted applications may still have execution records in this key.

2️⃣ AppSwitched (Active Window Tracking)

• Logs how often an application was brought into focus (i.e., when it became the active window).

• Unlike AppLaunch, it tracks all applications, not just pinned ones.

• Shows which applications had the most user interaction.

• Can reveal if suspicious applications (like hacking tools or keyloggers) were frequently used.

• Useful for disproving claims of "I never used that program!" in investigations.

3️⃣ AppBadgeUpdated (Notification Tracking)

• Tracks how many notifications were displayed for a given application.

• Similar to mobile app notifications, some Windows applications display badges on taskbar icons.

• Helps reconstruct user engagement with an app—even if the app itself was never actively opened.

• Can reveal how active a user was on specific apps like chat clients, social media, or VPNs.

4️⃣ ShowJumpView (Jump List Tracking)

• Tracks how often a user right-clicked an application on the taskbar to access its Jump List.

• Jump Lists provide quick access to recently used files or functions.

• If a user frequently accessed Jump Lists, it suggests deep interaction with an application.

• Can show which files or features were used most often in certain programs.

-----------------------------------------------------------------------------------------------------------

Why FeatureUsage Is a Game-Changer for Digital Forensics

🚀 1. Tracks Application Usage Even After Uninstallation

• Unlike Prefetch and AmCache, which may lose records when an app is removed, FeatureUsage keeps execution counts even after an app is uninstalled.

🚀 2. Provides Deep Insights Into User Activity

• Tracks not just application execution, but also taskbar clicks, notifications, and search activity.

• Reveals which applications users interacted with most.

🚀 3. Can Reveal Malicious or Suspicious Behavior

• If an attacker used RDP to access a machine, FeatureUsage may show their interactions.

• Can uncover frequent use of privacy tools, VPNs, or hacking software that a suspect claims they never used.

🚀 4. Complements Other Execution Artifacts

• Works alongside Prefetch, UserAssist, BAM/DAM, and AmCache to build a timeline of user behavior.

• Provides additional execution evidence for applications not fully tracked by other artifacts.

-----------------------------------------------------------------------------------------------------------

Best Practices for Investigating FeatureUsage Data

🔍 1. Cross-Reference Execution Artifacts

• Compare AppSwitched data with UserAssist & Prefetch to confirm when applications were used.

• Check TrayButtonClicked to see if a user searched for suspicious files.

🔍 2. Look for Deleted or Uninstalled Applications

• If AppLaunch shows execution counts for a missing application, it was likely used before being uninstalled.

🔍 3. Prioritize High-Focus Applications

• Sort AppSwitched data to see which applications had the most active user interaction.

🔍 4. Identify Anomalous Taskbar Interactions

• If a user rarely opens Jump Lists, but a VPN shortcut has 50+ right-clicks, it suggests frequent VPN use.

-----------------------------------------------------------------------------------------------------------

Final Thoughts: A Must-Check Registry Key for Investigators

FeatureUsage is one of the most valuable yet underutilized forensic artifacts in modern Windows systems. It offers deep insights into user behavior, tracks application usage even after uninstallations, and reveals hidden taskbar interactions.

🔑 Key Takeaways:

✅ Check FeatureUsage for execution counts of deleted applications.

✅ Use AppSwitched to track the most-used active window applications.

✅ Combine FeatureUsage with Prefetch, BAM/DAM, and UserAssist for a full picture.

----------------------------------------Dean-------------------------------------