UsrClass.dat stores more history than you think

This is a quick post about two new plugins I wrote for RegRipper that will pull the following artifacts from a Windows 10 UsrClass.dat hive:

• Microsoft Edge web history (plugin msedge_win10.pl)
• Microsoft Photos recent file history (plugin photos_win10.pl)

The plugins will parse the following keys:

Microsoft Edge

• Local Settings \ Software \ Microsoft \ Windows \ CurrentVersion \ AppContainer \ Storage \ microsoft.microsoftedge_8wekyb3d8bbwe \ MicrosoftEdge \ TypedURLs
• Local Settings \ Software \ Microsoft \ Windows \ CurrentVersion \ AppContainer \ Storage \ microsoft.microsoftedge_8wekyb3d8bbwe \ MicrosoftEdge \ TypedURLsTime
• Local Settings \ Software \ Microsoft \ Windows \ CurrentVersion \ AppContainer \ Storage \ microsoft.microsoftedge_8wekyb3d8bbwe \ MicrosoftEdge \ TypedURLsVisitCount

Microsoft Photos

• Local Settings \ Software \ Microsoft \ Windows \ CurrentVersion \ AppModel \ SystemAppData \ Microsoft.Windows.Photos_8wekyb3d8bbwe

Here are some output examples:

msedge_win10 v.20180610
(USRCLASS.DAT) Get values from the user's Microsoft Edge Windows App key

|-- \Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe
|----- \MicrosoftEdge\TypedURLs
|----- \MicrosoftEdge\TypedURLsTime
|----- \MicrosoftEdge\TypedURLsVisitCount

url1 (TypedURLs)           -> https://www.google.it/
url1 (TypedURLsTime)       -> Tue Jan  2 17:19:53 2018 (UTC)
url1 (TypedURLsVisitCount) -> 4

photos_win10 v.20180610
(USRCLASS.DAT) Get values from the user's Microsoft Photos Windows App key

Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Photos_8wekyb3d8bbwe\Schemas
  PackageFullName => Microsoft.Windows.Photos_2017.37071.16410.0_x64__8wekyb3d8bbwe

Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Photos_8wekyb3d8bbwe\PersistedStorageItemTable\ManagedByApp

 {2091DC0D-FB11-4834-8ECB-E9F628131FA8}
   KeyLastWrite   : Sat Jun  9 14:50:21 2018 (UTC)
   LastUpdatedTime: Sat Jun  9 14:06:02 2018 (UTC)
   Metadata       : StartFileC:\Users\username\Desktop\3rd.jpg

## Microsoft Photos (Windows App): Recent Files ## (Tab-separated values)

StartFileC:\Users\username\Desktop\3rd.jpg       KeyLastWrite: Sat Jun  9 14:50:21 2018 (UTC)

The tests were done with registry hives exported from computers running Windows 10 version 1511 and 1709.

The scripts are available for download here on my GitHub page.

Let me know if you find any other interesting app storing history activity within this registry hive. There's more than just shellbags inside UsrClass.dat!

References

• Microsoft Edge Browser Evidence: DFSP # 060 – Browsing on the Edge
• Windows 8: Tracking Opened Photos
• RegRipper plugin photos.pl by Harlan Carvey for Win8 Photos app