CLR Logs

Overview

Evidence: CLR Description: Collect CLR Log Category: Other Evidence Platform: Windows Short Name: clr Is Parsed: No - Raw log files and directories are collected Sent to Investigation Hub: Yes Collect File(s): No

Background

The .NET Common Language Runtime (CLR) generates diagnostic logs, crash dumps, and error reports for .NET applications. These logs are stored in user-specific directories and contain information about .NET application crashes, exceptions, and runtime errors.

CLR logs can provide evidence of .NET application failures, crashes, and error conditions that may be relevant to incident investigation or malware analysis.

Data Collected

Field

Description

Example

Name

Artifact name

CLR Log

Type

Folder

SourcePath

Original folder path

C:\Users\user\AppData\Local\Microsoft\CLRv4.0

Path

Relative path in evidence

Other/CLRv4.0

Collection Method

This collector collects CLR log directories:

Users\*\AppData\Local\Microsoft\CLR*

All directories matching the CLR* pattern are collected recursively.

Usage

CLR logs can reveal .NET application errors and crashes that may indicate malware behavior or application exploitation. Investigators use this data to analyze .NET application failures, detect malicious .NET assemblies, investigate application crashes, and identify .NET-based malware activity.

Known Limitations

Only present if .NET applications have run
May not exist on systems without .NET applications
Logs may be periodically cleaned
Requires .NET knowledge to interpret

Notes

CLR logs can contain stack traces and assembly information that may reveal malicious .NET code or exploitation attempts.

PreviousCIDSizeMRU NextChrome Bookmarks

Last updated 49 minutes ago

Was this helpful?