GUY NGONGANG on DIGITAL FORENSICS

TRACING REGISTRY KEYS

Microsoft uses Tracing keys to trace issues and monitor applications and their execution. The key is located in the following path C:\Windows\system32\Config\SOFTWARE: Microsoft\Tracing . The key as seen in the registry below

In the case of the application svchost.exe, I will focus on the RASAPI32 and RASMANCS registry keys located in

SOFTWARE: Microsoft\Tracing\svchost_RASAPI32

SOFTWARE: Microsoft\Tracing\svchost_RASMANCS

RASAPI32 interacts with the rasapi32.dll and RASMANCS interacts with the rasmans.dll . These DLL are related to the Remote access service and give indications that the applications are making network communications.

RASAPI32 and RASMANCS Registry keys both have the same values as seen below

Contents of RASAPI32 and RASMANCS keys

FileDirectory is the path where the trace logs will be stored when enabled.

EnableFileTracing and EnableConsoleTracing are set to “0” meaning no trace logs were created for the svchost.exe.

Happy Hunting.

Advertisement