AppPaths

Overview

Evidence: AppPaths
Description: Enumerate AppPaths
Category: System
Platform: windows
Short Name: apppaths
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

The App Paths registry key allows applications to register custom search paths so they can be launched by name without specifying the full path. When a user types just the executable name (e.g., “chrome”), Windows searches the App Paths registry to find the full path.

Malware can abuse this mechanism to hijack application launches or establish persistence by registering malicious executables under legitimate application names.

Data Collected

This collector gathers structured data about apppaths.

AppPaths Data

Field	Description	Example
`KeyName`	Application executable name	chrome.exe
`KeyDefaultValue`	Default value (full path to exe)	C:\Program Files\Google\Chrome\Application\chrome.exe
`Path`	Additional search path	C:\Program Files\Google\Chrome\Application
`Username`	User account (empty for HKLM)	user or empty
`KeyPath`	Registry key path	SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\chrome.exe
`LastWriteTime`	Registry key last write time	2023-10-15T14:30:00
`RegPath`	Path to registry hive	Registry/SOFTWARE or Registry/ntuser.dat

Collection Method

This collector searches both machine and user registry locations:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*
HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\*

For each application, it reads:

Default value (full executable path)
Path value (additional search path)
Registry key last write time

Forensic Value

App Paths can reveal application installations and detect persistence mechanisms. Investigators use this data to identify registered applications, detect application hijacking, track custom executable paths, identify persistence mechanisms, verify application locations, and detect malware masquerading as legitimate applications.