BAM / DAM — Background Activity Moderator

The Background Activity Moderator is one of the quietest execution artifacts in Windows forensics — a handful of registry values that record the last execution time of every program launched by each user. When Prefetch is disabled, Shimcache is ambiguous, and Amcache has been tampered with, BAM frequently provides the only surviving proof that a specific executable ran under a specific user account.

What Is BAM/DAM?

The Background Activity Moderator (BAM) and Desktop Activity Moderator (DAM) are Windows services introduced in Windows 10 version 1709 (Fall Creators Update, October 2017). BAM tracks execution of background applications, while DAM monitors desktop (foreground) applications. Both services write binary timestamp values to the SYSTEM registry hive under their respective service keys, recording the last execution time of each executable path for each user SID on the system.

Microsoft designed BAM/DAM as part of the Modern Standby power management framework. The operating system uses these timestamps to determine which applications have recently executed and whether they should be allowed to continue running during low-power states. From a forensic perspective, the side effect is invaluable: Windows silently records a per-user, per-executable timestamp every time a program runs — and it does so in the SYSTEM hive, which is typically collected as part of standard forensic triage.

Each registry value under the BAM/DAM key represents one executable. The value name is the full NT device path of the executable (e.g., \Device\HarddiskVolume3\Users\jdoe\Desktop\mimikatz.exe), and the value data is a binary blob containing a Windows FILETIME timestamp representing the last time that executable was run by the user identified in the parent key’s SID.

Location & Format

Registry Paths

Value Format

Each value under a user’s SID key follows this structure:

NT Device Path Resolution

BAM records paths using NT device notation rather than drive letters. The mapping between NT device paths and logical drives is stored in the SYSTEM\MountedDevices registry key. Common mappings include:

# Common NT device path to drive letter mappings
\Device\HarddiskVolume1  =  C:\   (System Reserved / EFI)
\Device\HarddiskVolume2  =  C:\   (OS partition, single-partition systems)
\Device\HarddiskVolume3  =  C:\   (OS partition, multi-partition systems)
\Device\HarddiskVolume4  =  D:\   (Data or secondary partition)

# Example BAM entry decoded:
\Device\HarddiskVolume3\Users\jdoe\AppData\Local\Temp\nc.exe
  =  C:\Users\jdoe\AppData\Local\Temp\nc.exe

What It Reveals

BAM/DAM answers a targeted set of forensic questions with high confidence:

• Did a specific executable run? — If a BAM entry exists for the path, the binary executed. BAM does not record file existence, only execution.
• When was the last execution? — The FILETIME timestamp records the most recent execution time with 100-nanosecond precision.
• Which user account ran it? — Each BAM entry is stored under a specific user SID, providing direct user attribution.
• What was the full path of the executable? — The NT device path reveals whether the tool was in System32, %TEMP%, a USB drive, or a user’s Desktop.
• Did a tool run from a non-standard location? — cmd.exe running from \Device\HarddiskVolume3\Users\jdoe\Desktop\cmd.exe (a copied binary) versus \Device\HarddiskVolume3\Windows\System32\cmd.exe is immediately visible.
• Did execution occur from a removable device? — Paths beginning with \Device\HarddiskVolume5 or similar high-numbered volumes often indicate USB drives, providing evidence of portable tool execution.

Forensic Use Cases

1. Lateral Movement Tool Detection

An attacker moves laterally using PsExec, dropping PSEXESVC.exe on a target host. BAM on the target records \Device\HarddiskVolume3\Windows\PSEXESVC.exe under the compromised service account SID. Even if the attacker deletes PSEXESVC.exe after use, the BAM entry persists until the next reboot — and if the SYSTEM hive is collected before reboot, the execution is proven.

2. Credential Dumping Attribution

An administrator account runs mimikatz.exe from a USB drive. BAM records \Device\HarddiskVolume5\tools\mimikatz.exe under the administrator’s SID. The NT device path proves the tool was on a removable volume (Volume5), not the system drive. Combined with USB device connection artifacts from SYSTEM\Enum\USBSTOR, the investigator can identify the specific USB device used.

3. Insider Threat — Unauthorized Tool Execution

Corporate policy prohibits the use of cloud sync clients. An employee downloads and runs rclone.exe from %APPDATA%. BAM records the execution with the employee’s SID. Even though the employee later deletes the binary, the BAM entry proves execution occurred, and the FILETIME timestamp pins it to a specific date and time.

4. Ransomware Execution Timeline

During a ransomware investigation, BAM entries on the patient-zero host show the ransomware payload executed from \Device\HarddiskVolume3\ProgramData\svchost32.exe at 02:47:23 UTC. This timestamp, combined with the user SID, identifies which compromised account was used to trigger the encryption. Earlier BAM entries for reconnaissance tools (net.exe, nltest.exe, AdFind.exe) provide the pre-encryption activity timeline.

5. Validating Shimcache Entries

Shimcache records the presence of a suspicious executable but does not confirm execution (in Windows 10, Shimcache entries can be created by file copy operations). A corresponding BAM entry for the same path confirms actual execution, resolving the ambiguity. BAM serves as the execution confirmation that Shimcache lacks.

Volatility & Reboot Behavior

Acquisition Methods

Live System — Registry Export

:: Export the BAM key directly from a live system (1903+ path)
reg export "HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings" C:\Evidence\bam_export.reg

:: For pre-1903 systems, use the older path
reg export "HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings" C:\Evidence\bam_export.reg

:: Also export the DAM key
reg export "HKLM\SYSTEM\CurrentControlSet\Services\dam\State\UserSettings" C:\Evidence\dam_export.reg

Live System — SYSTEM Hive Copy

:: Save a copy of the SYSTEM hive (contains BAM/DAM data)
reg save HKLM\SYSTEM C:\Evidence\SYSTEM_hive

:: Using KAPE for automated collection
kape.exe --tsource C: --tdest C:\Evidence\KAPE_Output --target RegistryHives

:: Using Velociraptor
:: Artifact: Windows.Registry.BAM
:: Or: Windows.KapeFiles.Targets with target "RegistryHives"

Forensic Image — Direct Extraction

# Mount forensic image read-only
mount -o ro,noexec,nodev /dev/sdb1 /mnt/evidence

# Copy the SYSTEM hive
cp /mnt/evidence/Windows/System32/config/SYSTEM /analysis/registry/

# Also collect the SAM hive for SID-to-username resolution
cp /mnt/evidence/Windows/System32/config/SAM /analysis/registry/

Parsing Tools & Analysis

Parsing with RECmd

:: Parse BAM entries using RECmd with the BAM batch plugin
RECmd.exe -f C:\Evidence\SYSTEM_hive --bn BatchExamples\BAM.reb --csv C:\Analysis\BAM_Output

:: Output: CSV with columns:
::   LastWriteTimestamp, HivePath, Description, Category,
::   ValueName (exe path), ValueData (timestamp), Comment

Parsing with RegRipper

:: Run the bam plugin against the SYSTEM hive
rip.exe -r C:\Evidence\SYSTEM_hive -p bam

:: Sample output:
:: bam v.20200518
:: S-1-5-21-3456789012-1234567890-987654321-1001
::   \Device\HarddiskVolume3\Windows\System32\cmd.exe
::     2026-03-15 14:32:07 UTC
:: 
::   \Device\HarddiskVolume3\Users\jdoe\Desktop\mimikatz.exe
::     2026-03-15 14:28:51 UTC

Custom Python Parser

from Registry import Registry
import struct, datetime

reg = Registry.Registry('/analysis/registry/SYSTEM')

# Determine current ControlSet
select = reg.open('Select')
current = select.value('Current').value()
cs = f'ControlSet00{current}'

# Navigate to BAM State (1903+ path)
try:
    bam = reg.open(f'{cs}\\Services\\bam\\State\\UserSettings')
except:
    bam = reg.open(f'{cs}\\Services\\bam\\UserSettings')  # pre-1903

for sid_key in bam.subkeys():
    print(f'\n=== {sid_key.name()} ===')
    for val in sid_key.values():
        if val.name() == 'Version' or val.name() == 'SequenceNumber':
            continue
        ts_bytes = val.value()[:8]
        ts = struct.unpack('<Q', ts_bytes)[0]
        dt = datetime.datetime(1601,1,1) + datetime.timedelta(microseconds=ts//10)
        print(f'  {dt} UTC  {val.name()}')

Retention & Persistence

Anti-Forensics Resilience

BAM/DAM has a mixed anti-forensics profile. Its greatest vulnerability is its volatile nature on modern Windows builds.

MITRE ATT&CK Detection Mapping

BAM/DAM entries provide evidentiary support for detecting the following MITRE ATT&CK techniques:

Related Artifacts & Cross-References

Complementary Artifacts

References

1. Eric Zimmerman, “Registry Explorer / RECmd” — https://ericzimmerman.github.io/
2. Harlan Carvey, “RegRipper — BAM Plugin” — https://github.com/keydet89/RegRipper3.0
3. SANS Institute, “Windows Forensic Analysis Poster” — https://www.sans.org/posters/windows-forensic-analysis/
4. 13Cubed, “BAM — Background Activity Moderator” — https://www.13cubed.com
5. Andrew Rathbun, “BAM Internals and Forensic Analysis” — https://github.com/AndrewRathbun
6. ForensicArtifacts.com, “BAM Artifact Definition” — https://github.com/ForensicArtifacts/artifacts
7. Microsoft, “Modern Standby” — https://learn.microsoft.com