NirSoft releases PC forensics tool ExecutedProgramsList
Utilities developer NirSoft has announced the release of ExecutedProgramsList, a portable PC forensics tool which lists programs and batch files previously launched on a PC.
For every program, ExecutedProgramsList displays the .exe file name, product name, version, description, and -- sometimes -- when it was last executed.
ExecutedProgramsList is more reliable than some similar tools as it assembles its data from multiple sources, including the Windows Prefetch folder and four Registry keys (…\Shell\MuiCache, …\ShellNoRoam\MUICache, …\AppCompatFlags\Compatibility Assistant\Persisted, …\AppCompatFlags\Compatibility Assistant\Store).
All this analysis can take a while, and the program appeared to hang when we first ran it, displaying "Not responding" in the title bar as we clicked the window.
We decided to wait, and a few seconds later the full report appeared. The program had found an impressive 1,050 executables. Clicking the "Last Executed" column header sorted them into execution order (where the dates and times were available), and as ever with NirSoft tools, the results can be saved as a text report for more detailed analysis later.
ExecutedProgramsList won’t catch everything launched on a PC, and if a system has been thoroughly cleaned that it may not list much at all. The program’s use of multiple data sources does make it more effective than some of the competition, though, and overall it’s a quick and easy way to explore how a PC is being used.