AppPaths
Overview
Evidence: AppPaths Description: Enumerate AppPaths Category: System Platform: windows Short Name: apppaths Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No
Background
The App Paths registry key allows applications to register custom search paths so they can be launched by name without specifying the full path. When a user types just the executable name (e.g., "chrome"), Windows searches the App Paths registry to find the full path.
Malware can abuse this mechanism to hijack application launches or establish persistence by registering malicious executables under legitimate application names.
Data Collected
This collector gathers structured data about apppaths.
AppPaths Data
KeyName
Application executable name
chrome.exe
KeyDefaultValue
Default value (full path to exe)
C:\Program Files\Google\Chrome\Application\chrome.exe
Path
Additional search path
C:\Program Files\Google\Chrome\Application
Username
User account (empty for HKLM)
user or empty
KeyPath
Registry key path
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
LastWriteTime
Registry key last write time
2023-10-15T14:30:00
RegPath
Path to registry hive
Registry/SOFTWARE or Registry/ntuser.dat
Collection Method
This collector searches both machine and user registry locations:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*
For each application, it reads:
Default value (full executable path)
Path value (additional search path)
Registry key last write time
Forensic Value
App Paths can reveal application installations and detect persistence mechanisms. Investigators use this data to identify registered applications, detect application hijacking, track custom executable paths, identify persistence mechanisms, verify application locations, and detect malware masquerading as legitimate applications.
Last updated
Was this helpful?