reg-bam-entries

Retrieves BAM (Background Activity Moderator) entries that record the last execution time of programs from a SYSTEM registry hive file. BAM is a service introduced in Windows 10 version 1709 and later that tracks the execution history of background programs.

Command properties

Syntax

Options

zippath=STR

Path to the ZIP file containing the registry hive file. When specified, reads the file matching PATH from inside the ZIP archive.

zipcharset=STR

Encoding for ZIP entry names (default: utf-8)

Target

PATH

SYSTEM registry hive file path. You can use a wildcard (*) to specify multiple files.

Output fields

Error codes

Parse errors

N/A

Runtime errors

N/A

Description

The reg-bam-entries command parses BAM entries from the ControlSet001\Services\bam\UserSettings key in the Windows SYSTEM registry hive file. BAM is a service in Windows 10 that manages background activity and records the last execution time of programs run by each user.

In forensic analysis, the SYSTEM hive file is typically located at C:\Windows\System32\config\SYSTEM.

Examples

1. Retrieving BAM entries from a SYSTEM hive file

   reg-bam-entries /opt/logpresso/evidence/SYSTEM
   

   Retrieves all BAM entries from the specified SYSTEM hive file.

2. Retrieving BAM entries from a SYSTEM hive inside a ZIP archive

   reg-bam-entries zippath=/opt/logpresso/evidence/registry.zip SYSTEM
   

   Retrieves BAM entries from the SYSTEM hive file inside a ZIP archive.

3. Filtering execution history for a specific user from BAM entries

   reg-bam-entries /opt/logpresso/evidence/SYSTEM
   | search sid == "S-1-5-21-*"
   | sort -last_execution
   

   Retrieves BAM entries and sorts program execution history for users matching a specific SID pattern in descending order by execution time.