`cit.cit`¶

$ target-query <path/to/target> -f cit.cit

Details¶
Module	`dissect.target.plugins.os.windows.regf.cit.CITPlugin`
Output	`records`

Module documentation

Plugin that parses CIT data from the registry.

References:

https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/

Function documentation

Return CIT data from the registry for executed executable information.

CIT data is stored at HKLMSoftwareMicrosoftWindows NTCurrentVersionAppCompatFlagsCITSystem. It’s supposedly application usage data that has yet-to-be flushed to the amcache.

Some of its values are still unknown. Generally only available before Windows 10.

cit.cit¶

`cit.cit`¶