F049MEDIUMInconclusivevalidator: passed
Setup completion script execution artifact (Persistence / Execution via Boot Scripts)
C:\Windows\Setup\Scripts\SetupComplete.cmd
Analyst narrative
AppCompatCache record of C:\Windows\Setup\Scripts\SetupComplete.cmd marked Executed=Yes. Setup completion scripts execute with SYSTEM privileges during Windows setup and can persist across reboots. Candidate cand-0103. Fact_ids: appcompatcache_execution_fact-0000206, appcompatcache_execution_fact-0000453.
Claims asserted
pathC:\Windows\Setup\Scripts\SetupComplete.cmdrun_appcompatcacheparser
Proof chain · 2 facts
Every confirmed claim links by foreign key to the typed fact that validated it, and to the forensic tool that produced that fact. This is one finding_trace() query.
▷appcompatcache execution factappcompatcache:sysvol/windows/setup/scripts/setupcomplete.cmdrun_appcompatcacheparser›
appcompatcache execution fact
appcompatcache:sysvol/windows/setup/scripts/setupcomplete.cmdrun_appcompatcacheparser
Raw tool output · 4b4434c0d8c7be26a8e469b47ab96f4e35c7f515
{"ControlSet": "1", "CacheEntryPosition": "206", "Path": "SYSVOL\\Windows\\Setup\\Scripts\\SetupComplete.cmd", "LastModifiedTimeUTC": "2018-03-14 20:48:41", "Executed": "No", "Duplicate": "False", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}▷appcompatcache execution factappcompatcache:sysvol/windows/setup/scripts/setupcomplete.cmdrun_appcompatcacheparser›
appcompatcache execution fact
appcompatcache:sysvol/windows/setup/scripts/setupcomplete.cmdrun_appcompatcacheparser
Raw tool output · cadee56bfe347fc7b9fa44fc7b5acfa1c797b5e3
{"ControlSet": "2", "CacheEntryPosition": "206", "Path": "SYSVOL\\Windows\\Setup\\Scripts\\SetupComplete.cmd", "LastModifiedTimeUTC": "2018-03-14 20:48:41", "Executed": "No", "Duplicate": "True", "SourceFile": "/tmp/sift-onboard-mnt/rd01-case/Windows/System32/config/SYSTEM"}Source tools
run_appcompatcacheparser