Background activity moderator (BAM)
The Background Activity Moderator (BAM) key seems to have been introduced in Windows 10 after version 1709.
The BAM keys can be found in the following Registry paths:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\
Within the UserSettings key, there is a key for each user SID containing a value for each tracked executable.
Example Entry
Registry Key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\S-1-5-21-321011808-3761883066-353627080-1000
Value Name:
\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Value Data:
00000000 15 3e ae 36 57 de d4 01 00 00 00 00 00 00 00 00 |.>®6WÞÔ.........|
00000010 00 00 00 00 02 00 00 00 |........|
Value Data Format
| Offset | Size | Value | Description |
|---|---|---|---|
| 0 | 8 | Execution time Contains a FILETIME |
|
| 8 | 8 | Unknown (empty values) | |
| 16 | 4 | Flag indicating whether the entry is a "Windows app" | |
| 20 | 4 | 0x02, 0x00, 0x00, 0x00 | Unknown (always 2) |