AppPaths

Overview

Evidence: AppPaths Description: Enumerate AppPaths Category: System Platform: windows Short Name: apppaths Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

The App Paths registry key allows applications to register custom search paths so they can be launched by name without specifying the full path. When a user types just the executable name (e.g., "chrome"), Windows searches the App Paths registry to find the full path.

Malware can abuse this mechanism to hijack application launches or establish persistence by registering malicious executables under legitimate application names.

Data Collected

This collector gathers structured data about apppaths.

AppPaths Data

Field
Description
Example

KeyName

Application executable name

chrome.exe

KeyDefaultValue

Default value (full path to exe)

C:\Program Files\Google\Chrome\Application\chrome.exe

Path

Additional search path

C:\Program Files\Google\Chrome\Application

Username

User account (empty for HKLM)

user or empty

KeyPath

Registry key path

SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

RegPath

Path to registry hive

Registry/SOFTWARE or Registry/ntuser.dat

Collection Method

This collector searches both machine and user registry locations:

  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*

  • HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*

For each application, it reads:

  • Default value (full executable path)

  • Path value (additional search path)

  • Registry key last write time

Forensic Value

App Paths can reveal application installations and detect persistence mechanisms. Investigators use this data to identify registered applications, detect application hijacking, track custom executable paths, identify persistence mechanisms, verify application locations, and detect malware masquerading as legitimate applications.

Last updated

Was this helpful?