> For the complete documentation index, see [llms.txt](https://windows.dfirhandbook.com/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://windows.dfirhandbook.com/windows-artifacts/program-execution/capabilityaccessmanager.md). # CapabilityAccessManager The Windows 10 (version 1903 and above) operating system includes mechanisms to record the application use of sensitive resources such as the microphone, camera, and other application-specific settings. This feature is part of the privacy management system designed to give users control over which applications can access their device's hardware and information. For digital forensic analysts, this data provides insights into the applications that have accessed these resources, including the timestamps of access, thereby offering clues about application behavior and user interaction with their device. The tracking of application access to resources like the microphone and camera is managed through the Capability Access Manager in the Windows Registry. This system keeps records of both packaged (Microsoft Store applications) and non-packaged (traditional desktop applications) and their permissions to access specific system capabilities. ## Key Insights * **Registry Locations**: * For all users: `HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore` * For individual users: `HKU\\Software\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore` In these locations, Windows keeps track of application permissions and access history, including the last time an application started and stopped using a resource (e.g., microphone, camera). * **Data Stored**: * **LastUsedTimeStart**: The timestamp when an application last started using a specific resource. * **LastUsedTimeStop**: The timestamp when the application stopped using the resource. This data is particularly useful for investigations as it provides concrete evidence of when specific capabilities were accessed, which can be correlated with other activities on the system to build a timeline or identify suspicious behavior. * **The `NonPackaged` Key**: * This key within the `ConsentStore` registry path is crucial for identifying non-Microsoft (third-party) applications' access to system resources. It helps forensic analysts distinguish between applications installed from the Microsoft Store and those installed from other sources. ## Analyzing Application Use of Resources To analyze the use of resources like the microphone and camera, a forensic analyst would navigate to the aforementioned registry paths using the Registry Editor or command-line tools. For a more comprehensive forensic analysis, specialized software that can interpret and present registry data in an easily understandable format is preferred. **Example Command to Query Resource Use**: ```powershell reg query HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\CapabilityAccessManager\ConsentStore\microphone ``` This command would list the permissions and last access times for applications that requested access to the microphone. Similar commands can be used for other resources by replacing `microphone` with the relevant resource name, such as `camera`. * **Understanding the Outputs**: * **Application Identifiers**: Each entry will be associated with an application identifier, which can be used to track down the application in question. * **Timestamps**: The `LastUsedTimeStart` and `LastUsedTimeStop` provide a window of time during which the resource was accessed, aiding in timeline reconstruction. --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://windows.dfirhandbook.com/windows-artifacts/program-execution/capabilityaccessmanager.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.