I was roaming around some Win10 images and noticed I had the RecentApps registry key to go through. I don’t see it that often and thought I should go and take a look at when Microsoft added it, and took it away.
Thankfully, past me had the smarts to create a bunch of Windows 10 VMs! Where did I find the ISOs you ask? I can’t remember. Microsoft hosted them somewhere for a bit, maybe they still do?
Anyways, here’s a table that I put together of Win10 systems that have the RecentApps key available in a base install. I haven’t tested what happens when you run updates, but I do know that it was not in my 1709 install, but I’ve seen it populated on at least one system when 1709 was active. Maybe it was updating the key if it existed?
| Version | RecentApps? | File GUID Timestamp |
| 1507 | No | – |
| 1511 | No | – |
| 1607 | Yes | Set to 0 |
| 1703 | Yes | Yes |
| 1709 | No/Unconfirmed* | Unconfirmed |
| 1803 | No | – |
*I’m putting a star next to 1709 because others have seen RecentApps on this version, so maybe it’s a configuration setting? From Vico’s talk, I’m reading that 1709 was either the last version to have it, or the first version to not have it. On my Windows SIFT Workstation, which was updated from 1709 to 1903 on 27 August 2019, I can see items accessed right until the update. So my working theory is that 1709 would populate the key if it existed, but that hasn’t been tested.
At the very least, we no longer have the key. And we should only really see it for sure in 1607 and 1703, and maybe 1709.
I also don’t really know why Microsoft had it in there to begin with, and if Microsoft previously had use for the data, they probably still do but have moved it into a different location. My guess is they’ve moved it here, but that’s research for another day.
ThinkDFIR 
[…] ThinkDFIRWhen did RecentApps go? […]
LikeLike