PowerToys for Windows DFIR and Malware Analysis

Background:

Although I do not work with Windows nowadays, I had been exploring new features of Windows 11 earlier, and PowerToys caught my attention. I found it very useful as it provided features which were missing from Windows 11 and I had to download third party tools for it like Image resizing, Peek. These PowerToys features are quite useful for Windows DFIR and Malware Analysis.

Windows PowerToys:

Microsoft PowerToys is a set of utilities for power users to tune and streamline their Windows experience for greater productivity.

• Purpose: Designed for productivity and customization on Windows, not specifically for forensic or incident response tasks.

• Capabilities: Tools like PowerRename, Text Extractor, and File Explorer Add-ons can be creatively repurposed for organizing files, extracting text, or previewing evidence, but they lack specialized forensic features.

• Ease of Use: User-friendly and lightweight, making them accessible for general tasks but not tailored for in-depth forensic investigations.

Prerequisites for PowerToys:

• Operating System: Windows 10 & Windows 11

• System Architecture: x64 or ARM64 processors are supported

How to install PowerToys?

There are 3 ways to install PowerToys:

1. From GitHub

2. From Microsoft Store

3. via Winget CLI

Refer this article: here

Which PowerToys can be used for Windows DFIR & Malware Analysis?

1. Peek

A system-wide utility for Windows to preview file content without the need to open multiple applications or interrupt your workflow. It offers a seamless and quick file preview experience for various file types, including images, Office documents, web pages, Markdown files, text files, and developer files.

Peek Pros:

• Based and/or Inspired from macOS feature "Spotlight"

• Let's you peek into different files without opening it!

  • Super useful during investigations so that you dont accidently double click on a suspicious/malicious file :)

    
    

    

    
    

• Shortcut to invoke Peek can be customized

  • By default it is Ctrl + Space

Peek Cons:

• None observed

2. Registry Preview

PowerToys Registry Preview simplifies the process of visualizing and editing complex Windows Registry files. It can also write changes to the Windows Registry

Registry Preview Pros:

• Good UI for viewing the Windows Registry instead of the default Registry Editor

• Read permission by default so that you dont make unnecessary changes.

• Can also be used as a Registry Editor

Registry Preview Cons:

• Lacks Navigation capability which is available in Registy Editor

  • Can only navigate using the UI

• Loads only 10 MB or lower file size registry

3. File Locksmith

   
   

File Locksmith is a Windows shell extension for checking which files are in use and by which processes.

File Locksmith Pros:

• Can be useful while Analyzing a Malware to check if your files are being accessed by any process/application

File Locksmith Cons:

• Shows usage for only third party installed apps like Word, Notepad++, VLC etc

  • If native applications like Notepad, File Explorer, Edge are used to open a file, it does not show any result or output of being used.

• Continous monitoring is not present

  • If a file is opened by a process and later by another, it shows only the 1st process accessing it

Conclusion:

PowerToys bring powerful and missing features to Windows. However, these are limited as of now and designed for different use cases. Since this project is open-sourced, I am confident that in the future there would be many tools/utilities designed for DFIR & Malware Analysis use cases!

PowerToys Pros:

• Custom utilities can be designed for different use cases

• It is open source and free!

PowerToys Cons:

• Lacks capabilities which are critical in DFIR such as:

  • Memory Analysis

  • Disk Imaging

  • Network traffic analysis.