posts/the-mystery-of-the-heapleakdetection-registry-key/ #1
Description
The Mystery of the HeapLeakDetection Registry Key | RAT In Mi Kitchen
I was working on a case the other day, when I first came across a rather interesting registry key, HKLM\Software\Microsoft\RADAR\HeapLeakDetection\DiagnosedApplications. It caught my eye, because it has sub-keys for (what appears to be) applications executed on the system. This is what it looks like on my own system:
It has quite a few sub-keys, and each one has a LastDetectionTime QWORD value, containing what appears to be a Windows FILETIME timestamp:
http://harelsegev.github.io/posts/the-mystery-of-the-heapleakdetection-registry-key/