AppPaths

Overview

Evidence: AppPaths Description: Enumerate AppPaths Category: Registry Platform: Windows Short Name: apppaths Is Parsed: Yes - Registry data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

The App Paths registry key allows applications to register custom search paths so they can be launched by name without specifying the full path. When a user types just the executable name (e.g., "chrome"), Windows searches the App Paths registry to find the full path.

Malware can abuse this mechanism to hijack application launches or establish persistence by registering malicious executables under legitimate application names.

Data Collected

Collection Method

This collector searches both machine and user registry locations:

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*

For each application, it reads:

• Default value (full executable path)

• Path value (additional search path)

• Registry key last write time

Usage

App Paths can reveal application installations and detect persistence mechanisms. Investigators use this data to identify registered applications, detect application hijacking, track custom executable paths, identify persistence mechanisms, verify application locations, and detect malware masquerading as legitimate applications.

Known Limitations

• Only includes applications that register themselves

• Many portable applications don't use App Paths

• Can be manipulated by malware

• Per-user entries require analyzing all user hives

Notes

Malware may register itself in App Paths to enable execution without full paths or to hijack legitimate application names. Compare App Paths entries with installed applications and file system evidence.