Windows Locations that should be wiped regularly

DataMine
by DataMine · 7 posts
13 years ago in Trackers
Posted 13 years ago · Author
The following is a list of locations in the Windows operating that contain data that could be datamined. This data could be used to identify you, track your web browsing habits or as evidence against you in a court of law.

If you're a h4c|<7r, someone who shares a computer or simply someone who likes to keep their computer activity as secret as you can (Like Me) then these are all the places THAT I KNOW OF that should be wiped/cleaned regularly. This is just my personal list, you may not agree with all the locations on here.

Please inform me if you know of any that aren't on this list.

NOTE: Replace %User% with your username.
NOTE: Some locations require view to hidden and/or system files.
NOTE: Not all of these locations will exist on your machine. Some are Operating System/Program specific.

WINDOWS Directories:
Code
C:\Users\%User%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\
C:\Users\%User%\AppData\Local\Temp
C:\Users\%User%\Local Settings\Application Data
C:\Windows\Downloaded Installations
C:\Windows\Downloaded Program Files
C:\Windows\Minidump
C:\Windows\Offline Web Pages
C:\ProgramData\TEMP
C:\Users\%User%\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content
C:\Users\%User%\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData
C:\Users\%User%\AppData\Roaming\Microsoft\Windows\IETldCache
C:\Users\%User%\AppData\Roaming\Microsoft\Windows\IETldCache\Low
C:\Users\%User%\AppData\Roaming\Microsoft\Windows\Recent
C:\Users\%User%\AppData\Roaming\Microsoft\Windows\PrivacIE
C:\Users\%User%\AppData\Roaming\Microsoft\Windows\PrivacIE\Low
C:\Users\%User%\AppData\Roaming\Microsoft\Windows\Recent
C:\Users\%User%\AppData\Roaming\Microsoft\Windows\Cookies
C:\Users\%User%\AppData\Roaming\Microsoft\Windows\Cookies\Low
C:\Users\%User%\AppData\Roaming\Microsoft\Installer
C:\Windows\System32\winevt\Logs


Program Directories (I'm only listing common programs here for obvious reasons):
Code
C:\Users\%User%\AppData\Roaming\Macromedia\Flash Player\#SharedObjects
C:\Users\%User%\AppData\Roaming\Macromedia\Flash Player\#Security\FlashPlayerTrust
C:\Users\%User%\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer
C:\Users\%User%\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
C:\Users\%User%\AppData\Local\Mozilla\Firefox\Profiles\%randomtext%.default\Cache
C:\Users\%User%\AppData\Local\Mozilla\Firefox\Profiles\%randomtext%.default\OfflineCache
C:\Users\%User%\AppData\LocalLow\Google\GoogleEarth\unified_cache_leveldb_leveldb2.0
C:\Users\%User%\AppData\LocalLow\Google\GoogleEarth\webdata
C:\Users\%User%\Local Settings\Application Data\uTorrent
C:\Users\%User%\AppData\Local\Google\Chrome\User Data\Default\Cache
C:\Users\%User%\AppData\Local\Google\Chrome\User Data\Default\Local Storage
C:\Users\%User%\AppData\Local\Google\Chrome\User Data\Default\Media Cache
C:\Users\%User%\VirtualBox VMs\%VB Name%\Logs
C:\Users\%User%\.VirtualBox
C:\Users\%User%\AppData\Roaming\vlc
C:\Users\%User%\AppData\Roaming\TeamViewer


Registry:
Code
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Tracing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Uninstall
HKEY_USERS\S-1-5-21-2332283452-147776971-1831614771-1001\Software
HKEY_USERS\S-1-5-21-3408048165-1105630455-3366598313-1000\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
HKEY_USERS\S-1-5-21-1758859007-1566879960-3248784662-1001\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

Desription: Stores a list of programs that have a file association (IE: Open with..)
Location: HKEY_CLASSES_ROOT\Applications\

Description: Items recently ran from the "Run" bar
Location:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU
Why you care: Useful to know what the person is running using the Windows Run bar, but in Vista and Windows 7 lots of folks use "Search programs and files" text box, which does not show up in this registry key.

Description:ComDlg32 recently opened/saved files
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU
Why you care: This key has sub keys by file extension that can let you know what people have been opening/saving to when the common file save/open dialog comes up. Values are in HEX, but readable if you open them in ASCII view.

Description: ComDlg32 recently opened/saved folders
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRULegacy
Why you care: Much like the entry above, but the last folders. Values are in HEX, but readable if you open them in ASCII view.

Description: Recent Docs
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs
Why you care: It can be quite useful to know what files have been opened recently.

Description: EXE to main window title cache
Location: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Location: HKEY_USERS\S-1-5-21-2332283452-147776971-1831614771-1001_Classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache
Location:HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\MUICache
Why you care: Once again, it's useful to know what folks are running on a system.

Description: User Assist
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Why you care: This key is suppose to contain information about programs and shortcuts accessed by the Windows GUI, including execution count and the date of last execution, but the way it's stored is less than obvious

Description: Last logged on user
Location: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
Why you care: Lets you know who logged in last, and may also give you a user name to attack if you're a pen-tester.

Description: Last key edited by RegEdit
Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
Why you care: Can be useful to know if the user was tweaking the registry for some purpose.

Description: List of Installed USB devices, both connected and unconnected
Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USB
Why you care: It can be useful to know what USB devices have be connected to a box, and even the vendor and serial number of the device in some cases.

Description: Internet Explorer Forms AutoComplete
Location: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage1
Why you care: This registry key stores autocomplete information for IE, but in an obfuscated form.

Description: Internet Explorer Password AutoComplete
Location: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
Why you care: This registry key stores autocomplete password information for IE, but in an obfuscated form.

Description: Virtual Clone Drive Recently Mounted Files List.
Location: HKEY_USERS\S-1-5-21-3408048165-1105630455-3366598313-1000\Software\Elaborate Bytes\VirtualCloneDrive\LRU

Description: Stores recently used files with WinRar
Location: HKEY_CURRENT_USER\Software\WinRAR\ArcHistory
Location: HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ArcName
Location: HKEY_CURRENT_USER\Software\WinRAR\DialogEditHistory\ExtrPath
Location: HKEY_CURRENT_USER\Software\WinRAR\General

Description: Stores the recently accessed repository urls
Location: HKEY_CURRENT_USER\Software\TortoiseSVN\History

Description: Displays files opened in Illustrator
Location: HKEY_USERS\S-1-5-21-1160337894-4029435180-3047771225-1001\Software\Adobe\MediaBrowser\MRU\illustrator\FileList

Description: Displays files opened in Photoshop
Location: HKEY_USERS\S-1-5-21-1160337894-4029435180-3047771225-1001\Software\Adobe\MediaBrowser\MRU\Photoshop\FileList

Description: Stores the last recoreded file
Location: HKEY_USERS\S-1-5-21-1160337894-4029435180-3047771225-1001\Software\BANDISOFT\BANDICAM\OPTION
Key: sLatestRecordingFile
Posted 13 years ago · Author
4D0e5a8d5Lo4c8k5Inc2 wrote:
Very helpful DM but you also forgot


Registry Errors



Feel free to list some locations and/or more info..
Posted 13 years ago
Sure when I get the time i'll write up something :3 and give you it <3 I mean credit is yours :3 I don't like taking stuff from people o.o I just like to help out :3
Posted 12 years ago · Author
4D0e5a8d5Lo4c8k5Inc2 wrote:
Sure when I get the time i'll write up something :3 and give you it <3 I mean credit is yours :3 I don't like taking stuff from people o.o I just like to help out :3


I welcome more content to my threads as long as it is accurate.
Posted 11 years ago
I'll start to wipe normally, idk about scripting or what programs to use for scripting :S
Posted 11 years ago · Author
Added more Windows Directories, Program Directories and Registry Locations to the original post.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Sign in

Already have an account? Sign in here

SIGN IN NOW

Create an account

Sign up for a new account in our community. It's easy!

REGISTER A NEW ACCOUNT