This guide continues our ongoing series exploring Windows digital artefacts and their practical value during an investigation. Here, we turn our attention to the specific set of files located under the root path %ProgramData% (commonly C:\ProgramData\) and its subfolders. Unlike standard user profile folders, this directory typically houses system-wide data, shared application configurations, and background service caches that apply to the system as a whole. For investigators, this path offers a system-level perspective. Analyzing it can uncover historical activity, revealing events from background file transfers and software installations to Wi-Fi connections and security tool detections.

Technical Notes

Several of the databases in this directory are held open by system services. Forensically sound acquisition typically requires collecting them from a disk image or using a shadow copy (VSS) mechanism. In this article, %ProgramData% and C:\ProgramData\ will be used interchangeably; when analyzing a live system, we recommend initially deriving the physical path of the ProgramData folder by resolving the corresponding environment variable. Both methods are supported in Elcomsoft Quick Triage.

BITS Queue Manager Database (QMGR)

Background Intelligent Transfer Service (BITS) is a service used by legitimate components to asynchronously transfer large files with minimal user disruption. BITS maintains its job, file, and state data in a local queue manager database located under C:\ProgramData\Microsoft\Network\Downloader\.

On Windows 10 and later, the queue is typically stored as an ESE database (for example, qmgr.db) with accompanying log files; older systems commonly used qmgr0.dat / qmgr1.dat.

From an investigative perspective, this database holds high forensic value because it preserves a system-managed record of transfer intent and metadata. Parsing or carving this database can reveal:

• Source URLs and destination paths.
• Job names, descriptions, and user SIDs associated with the jobs.
• The presence of suspicious notification commands that execute upon job completion.
• Deleted jobs recovered from slack space or transaction logs.

Cross-correlation: To establish a verifiable timeline and confirm if a transfer actually occurred, correlate the QMGR data with the Microsoft-Windows-Bits-Client/Operational event log (Background Intelligent Transfer Service – Win32 apps | Microsoft Learn).

Windows Search Database

Windows Search Indexer accelerates local searches by maintaining an on-disk index of selected content sources, saved by default under C:\ProgramData\Microsoft\Search\Data\Applications\Windows\. Forensically, this index acts as a secondary catalogue of what the system considered searchable. It provides investigators with indexed file metadata, limited file contents, and traces of user activity or URLs.

Cross-correlation: Because “indexed” does not guarantee “executed,” cross-correlate this database with file-system timeline artefacts, application logs, or endpoint telemetry to defensibly confirm a file’s presence, access, and timing.

Windows Error Reporting (WER) Store

Windows Error Reporting gathers information about hardware and software faults, storing pending and archived reports on disk under C:\ProgramData\Microsoft\Windows\WER\.

While primarily about crashes, WER yields strong execution-adjacent signals. A report directory containing an AppCrash_* pattern and a Report.wer file is strong evidence that a given executable ran and faulted on the system. It typically includes timestamps, executable identifiers, and contextual strings about the failing module.

Cross-correlation: To establish causality, correlate WER artefacts with Application event log entries (such as “Application Error”) and any logs specific to the crashing process.

Microsoft Defender Artefacts

The following artefacts are produced by Microsoft Defender. Analyzing these files reveals threat detection history.

Microsoft Defender Antivirus Detection History

When Defender’s real-time protection detects and blocks or remediates threats, it creates DetectionHistory records under C:\ProgramData\Microsoft\Windows Defender\Scans\History\Service\DetectionHistory\.

These files offer host-native security telemetry. They contain data about detections, including the threat name, malicious file location, detection timestamp, cryptographic hashes, and (depending on the detection) initiating or associated process information.

Cross-correlation: Validate these findings by correlating them with the Microsoft-Windows-Windows Defender/Operational event log, which provides canonical event IDs for malware detection and configuration changes.

Microsoft Defender Antivirus Quarantine

Defender stores encrypted quarantine metadata and quarantined file contents under C:\ProgramData\Microsoft\Windows Defender\Quarantine\.

Quarantine contents typically preserve the quarantined payload alongside structured metadata, stored in Defender’s encrypted quarantine container format. This can allow for file recovery and deeper analysis even if the primary event logs have been cleared, though availability may depend on retention and cleanup policies.

Cross-correlation: Cross-correlate quarantine data with DetectionHistory to understand the user-facing narrative, and with Defender Operational event logs to confirm timing and remediation steps.

Microsoft Defender Support Logs

Defender generates plaintext troubleshooting logs (MPLog-*.log) and support archives under C:\ProgramData\Microsoft\Windows Defender\Support\.

These logs can carry surprisingly rich historical evidence of process execution, detected threats, scan results, and file existence. They commonly use UTC timestamps and can help identify process execution and file access during an incident.

Cross-correlation: Correlate MPLog observations with Defender Operational events and with DetectionHistory or quarantine evidence.

Wi-Fi Profile XMLs

Windows stores Wi-Fi profiles as XML files under C:\ProgramData\Microsoft\Wlansvc\Profiles\Interfaces\{GUID}\.

These XMLs provide a reliable inventory of Wi-Fi networks configured on the device, frequently revealing SSIDs, authentication types, and encryption parameters. This is useful for supporting hypotheses about physical movement or corporate network access.

Cross-correlation: To determine when connections actually occurred, cross-correlate these profiles with Wi-Fi session evidence in the WLAN-AutoConfig event logs.

Wireless Network Report HTML

Generated manually via the command line netsh wlan show wlanreport, this HTML report summarizes Wi-Fi events for the past three days and is typically saved at C:\ProgramData\Microsoft\Windows\WlanReport\wlan-report-latest.html.

When present, it offers a human-readable timeline of connection sessions, disconnect reasons, and related adapter context. Analyze the wireless network report – Microsoft Support

Cross-correlation: Treat the report as a convenient aggregation and corroborate specific connect or disconnect timestamps with the underlying system logs it summarizes.

Local Group Policy cache (History)

To manage the removal of policies that no longer apply, Windows maintains a per-machine local Group Policy cache under C:\ProgramData\Microsoft\Group Policy\History.

This cache can help demonstrate that specific preference-based actions (like creating or deleting configuration objects) were applied to the endpoint, which is useful when domain-side evidence is missing.

Cross-correlation: Correlate this cache with Group Policy operational logs and Registry or application-state evidence to support conclusions about the lasting effects of the preference items.

StateRepository-Machine.srd

Located under C:\ProgramData\Microsoft\Windows\AppRepository\, this database records the state of installed modern applications.

This artefact supports software inventory tasks, revealing what Store or UWP packages were present. It logs apps currently installed, apps installed but never launched, and preinstalled apps.

Cross-correlation: To confirm exactly when an app was installed and who installed it, cross-correlate with Registry mappings of user IDs and relevant deployment event logs.

All-Users Start Menu Programs and Startup Folder

Windows maintains common Start Menu and Startup paths under C:\ProgramData\Microsoft\Windows\Start Menu\Programs and  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup correspondingly.

The Startup folder is a frequent persistence location, executing its contents at user logon. Note that this is only one of many autorun and persistence surfaces; interpret findings as part of a broader autoruns review. Analyzing the LNK (shortcut) files found here allows investigators to:

• Detect malware persistence.
• Recover historical information, even for deleted targets or network shares.
• Use internal LNK timestamps and volume info to tie execution to specific devices.

Cross-correlation: Supplement shortcut analysis by correlating with Registry-based autoruns and file creation or auditing event logs.

OpenSSH Server Configuration

When enabled, the OpenSSH Server reads its configuration from C:\ProgramData\ssh\sshd_config.

The presence of this configuration file indicates OpenSSH Server may be installed and/or configured on the host, which can be relevant to remote-access and lateral-movement investigations. Confirm operational status by checking the sshd service state (installed/start type/running) and related configuration. The file reveals authentication settings and allowed users.

Cross-correlation: Correlate with service installation state, firewall rules, and authentication logs to build a complete access narrative.

Noisy and Low-Signal Artefacts

We filtered out certain C:\ProgramData artefacts from our primary analysis because they tend to be high-churn, diagnostic in nature, or too ambiguous without substantial auxiliary context. These are primarily relevant for general troubleshooting rather than reconstructing adversary or user behavior.

Update Session Orchestrator ETL Logs

Found under C:\ProgramData\USOShared\Logs\, these event trace logs are produced for Windows update orchestration diagnostics. They are too voluminous for targeted triage and mostly contain routine OS update activity.

DeviceMetadataCache

Located at C:\ProgramData\Microsoft\Windows\DeviceMetadataCache\, this directory caches OS device metadata packages. It is a benign maintenance cache with low forensic relevance.

Delivery Optimization Caches

These files assist with update distribution. They represent routine, noisy background updates and are weakly attributable to specific user actions.

Microsoft Defender Platform/Engine Folders

Found under C:\ProgramData\Microsoft\Windows Defender\Platform\, these directories contain frequent signature and engine updates. They are too volatile and weakly tied to discrete actions compared to other primary Defender artefacts.

Third-Party Application Data

While extensive third-party data exists in C:\ProgramData\, these artefacts are product-specific and not reliably generalizable across standard Windows systems, making them exceptionally noisy without knowing the exact software inventory.

Conclusion

As explored in this guide, the C:\ProgramData directory contains high-signal artefacts that provide a crucial, system-level perspective during an investigation. From uncovering background transfer intent and host-native security telemetry to reconstructing connection timelines, this path offers a reliable inventory of what happened on a specific endpoint.

However, even the best forensic tools won’t make investigative decisions for you. Parsers can organize data, but interpreting intent, building a clean timeline, and supporting attribution still takes an investigator applying informed judgment. To streamline collection and save time for analysis, consider using Elcomsoft Quick Triage to collect relevant artefacts from live systems, disk images, or mounted volumes.

We are grateful to the members of the forensic community whose research continues to drive the industry forward:

1. Windows Search database (artifacts.help)
2. Attacker Use Background Intelligent Transfer Service (BITS) (Google Cloud Blog)
3. Windows Error Reporting – Win32 apps (Microsoft Learn)
4. Uncovering Windows Defender Real-time Protection History with DHParser (SANS Alumni Blog)
5. Microsoft Defender Antivirus event IDs and error codes (Microsoft Learn)
6. Reverse, Reveal, Recover: Windows Defender Quarantine Forensics (NCC Group)
7. How to Use MPLogs for Forensic Investigations (CrowdStrike)
8. Analyze the wireless network report (Microsoft Support)
9. “All Installed Apps” Artifact – Windows 10 Forensics, (Boncaldo’s Forensics Blog)
10. Boot or Logon Autostart Execution: Registry Run Keys (MITRE ATT&CK)
11. The Missing LNK – Correlating User Search LNK files (Google Cloud Blog)