Environment Variables

Overview

Evidence: Environment Variables
Description: Enumerate Environment Variables
Category: System
Platform: windows
Short Name: envvars
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No

Background

Environment variables influence process behavior and can be abused for persistence or evasion. This data is essential for auditing process and registry-scoped variables.

Data Collected

This collector gathers structured data about environment variables.

Collection Method

This collector queries the current process environment and reads system/user environment values from registry across views and SIDs.

Forensic Value

This evidence is crucial for forensic investigations to detect suspicious variables, altered paths, and injected configuration.