Hello Reader,
      This week an anonymous submitter has won the day, and a 4TB External Hard Drive. It’s important to keep track of what changes, especially when it comes to OS’s that we may not be dealing with daily yet.This week’s answer does a good job at showing some of what’s changed but there is more than you should be aware of. Your greatest challenge in dealing with Windows 8 is just getting all your regular tools to run! With all this said here is this weeks winning answer!

The Challenge:
1. Explain the artifacts for execution you can find on windows xp and windows 8
2. For those artifacts that are in the same location for both, explain what differences exist

The Winning Answer:

Program Execution: following are some of the well-known artifacts one may find on Windows XP/7/8 systems along with relevant distinctions across the Windows versions:

Application Compatibility Cache: used to determine issues relating to application comp ability with executables; can use to track executables  by file name, size, last modified time and last update time (only in WinXP)
WinXP –> SYSTEMCurrentControlSetControlSessionManagerAppCompatibility
Win7/8 –> SYSTEMCurrentControlSetControlSessionManagerAppCompatCache

Jump Lists: unique to versions of Windows 7 and greater, allows users to quickly access frequent/recent selections; can determine first/last time of execution of an application
Win7/8 –> C:Users%user%AppDataRoamingMicrosoftWindowsRecentAutomaticDestinations

Prefetch: Used by Microsoft Windows for preloading code pages of often-used applications; can use to tell if application had been executed on a system (uses a calculate hash for the directory from where application was ran); may not necessarily be enabled on all systems as there are discrepancies across Windows versions.
WinXP/Vista/7/8 –> C:WindowsPrefetch

Last Visited MRU: Logs specific executable called by an application for opening files documented in the OpenSaveMRU key; also tracks directory location for the last file accessed by an application.
WinXP –> NTUSER.datSoftwareMicrosoftWindowsCurrent VersionExplorerComDig32LastVisitedMRU
Win7/8 –> NTUSER.datSoftwareMicrosoftWindowsCurrent VersionExplorerComDig32LastVisitedPidMRU

RunMRU Start (Run): logs usage of Start -> Run sequence for loading executables
WinXP/7/8 –> NTUSER.datSoftwareMicrosoftWindowsCurrent VersionExplorerRunMRU

UserAssist: Tracks GUI-based applications that are launched from the user’s desktop in the launcher on Windows systems
WinXP/7/8 –> NTUSER.datSoftwareMicrosoftWindowsCurrent VersionExplorerUserAssist{GUID}Count
Where GUID can be on of the following:
XP –> 75048700 (Active Desktop)
Win7/8
        –> CEBFF5CD (.EXE file execution)
        –> F4E57C4B (Shortcut file execution)
        –> 6D809377 (ProgramFilesX64)
        –> 7C5A40EF (ProgramFilesX86)
        –> 1AC14E77 (System)
        –> D65231B0 (SystemX86)
        –> B4BFCC3A (Desktop)
        –> FDD39AD0 (Documents)
        –> 374DE290 (Downloads)
        –> 0762D272 (User Profiles)

In addition, one can review Windows Event logs for service related information.
Services Events: log of services that were started/stopped; can also identify services that start on boot (ultimately determine file/executable associated with service); requires reviewing event logs; following are relevant event IDs:
7034 –> service crashed unexpectedly
7035 –> Serve sent a Start/Stop command
7036 –> Service started/stopped
7040 –> Start type changed