📄️ Amcache
Windows execution tracker
📄️ BITS
The Background Intelligent Transer Service (BITS)
📄️ Chocolatey
Chocolatey packages
📄️ Connections
Windows network connections
📄️ Extensible Storage Engine
Extensible Storage Engine (ESE) database
📄️ Event Logs
Primary source of logs on Windows
📄️ Files
Windows file metadata
📄️ Jumplists
Tracks files opened by applications in Windows Taskbar
📄️ Logons
Windows Logon events
📄️ MFT
Windows Master File Table
📄️ Most Recently Used
Most Recently Used entries
📄️ Outlook
Windows Email Client
📄️ Portable Executable
The native executable format for Windows
📄️ PowerShell History
PowerShell history entries
📄️ Prefetch
Tracks execution of files on workstations
📄️ Processes
Windows process metadata
📄️ Raw Files
Windows NTFS file metadata
📄️ RecycleBin
Windows files in the RecycleBin
📄️ Registry
Primary source of Windows configuration settings
📄️ Search
The Windows Search database
📄️ Service Installs
Windows Service Install events
📄️ Services
Services installed on Windows
📄️ Shellbags
List of directories accessed by Windows Explorer
📄️ ShellItems
Windows ShellItems
📄️ Shimcache
Tracks execution* of applications
📄️ ShimDB
Contains shims used by applications
📄️ Shortcuts
Metadata about recently opened files
📄️ SRUM
System Resource Utilization Monitor (SRUM) tracks application usage
📄️ SystemInfo
Windows system information
📄️ Scheduled Tasks
Scheduled Tasks setup on Windows
📄️ User Access Log
Windows User Access Log
📄️ Updates
Windows Update History
📄️ USBs
Connected USB devices
📄️ UserAssist
Tracks applications executed in Windows Explorer
📄️ Users
Users in the SAM Registry file
📄️ UsnJrnl
Tracks file changes
📄️ WMI
The Windows Management Instrumentation (WMI) Repository
📄️ WordWheel
Windows Explorer Search terms