EricZimmerman · AndrewRathbun · Jul 18, 2025 · Jul 18, 2025
diff --git a/BatchExamples/DFIRBatch.md b/BatchExamples/DFIRBatch.md
@@ -64,6 +64,7 @@ Example entry, please follow this format:
 | 2.13 | 2025-07-01 | Added User Account Control Artifacts |
 | 2.14 | 2025-07-05 | Added System Info, Processor Info, Recent File List and Registry Editor Usage Artifacts |
 | 2.15 | 2025-07-12 | Added Initial User.dat Windows Store UWP and WinSCP Windows Store Artifacts |
+| 2.16 | 2025-07-18 | Added More User.dat Windows Store UWP Artifacts - Network Share and WordPad |
 
 # Documentation
 

diff --git a/BatchExamples/DFIRBatch.reb b/BatchExamples/DFIRBatch.reb
@@ -1,9 +1,9 @@
 Description: DFIR RECmd Batch File
 Author: Andrew Rathbun
-Version: 2.15
+Version: 2.16
 Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8
 Keys:
 #
 # DFIRBatch README: https://github.com/EricZimmerman/RECmd/blob/master/BatchExamples/DFIRBatch.md
 #  => Add changelog in this readme after additions.
 #
@@ -44,7 +44,7 @@
        Recursive: false
        Comment: "Displays the username of the last user logged in to this system"

 # https://windowsir.blogspot.com/2013/04/plugin-winlogon.html

    -
        Description: WinLogon
@@ -55,7 +55,7 @@
        Recursive: false
        Comment: "Displays the SID of the user who is set to auto login to Windows"

 # https://windowsir.blogspot.com/2013/04/plugin-winlogon.html

    -
        Description: WinLogon
@@ -130,7 +130,7 @@
        Recursive: false
        Comment: "Identifies the system volume where Windows booted from"

 # https://www.microsoftpressstore.com/articles/article.aspx?p=2201310
 # https://stackoverflow.com/questions/15361617/retrieve-the-partition-number-of-bootmgr-on-windows-vista-and-later

    -
@@ -142,7 +142,7 @@
        Recursive: false
        Comment: "Displays value for the current ControlSet"

 # https://what-when-how.com/windows-forensic-analysis/registry-analysis-windows-forensic-analysis-part-3/
 # https://msirevolution.wordpress.com/2012/03/31/what-is-currentcontrolset001-in-windows-registry/

    -
@@ -154,7 +154,7 @@
        Recursive: false
        Comment: "Displays value for the default ControlSet"

 # https://what-when-how.com/windows-forensic-analysis/registry-analysis-windows-forensic-analysis-part-3/
 # https://msirevolution.wordpress.com/2012/03/31/what-is-currentcontrolset001-in-windows-registry/

    -
@@ -166,7 +166,7 @@
        Recursive: false
        Comment: "Displays value for the ControlSet that was unable to boot Windows successfully"

 # https://what-when-how.com/windows-forensic-analysis/registry-analysis-windows-forensic-analysis-part-3/
 # https://msirevolution.wordpress.com/2012/03/31/what-is-currentcontrolset001-in-windows-registry/

    -
@@ -178,7 +178,7 @@
        Recursive: false
        Comment: "Displays value for the last known good ControlSet"

 # https://what-when-how.com/windows-forensic-analysis/registry-analysis-windows-forensic-analysis-part-3/
 # https://msirevolution.wordpress.com/2012/03/31/what-is-currentcontrolset001-in-windows-registry/

    -
@@ -192,7 +192,7 @@
        BinaryConvert: FILETIME
        Comment: "Last system shutdown time"

 # https://www.winhelponline.com/blog/how-to-determine-the-last-shutdown-date-and-time-in-windows/

    -
        Description: Windows OS Language
@@ -203,7 +203,7 @@
        Recursive: false
        Comment: "Default OS Language, 0409 is English"

 # https://serverfault.com/questions/957167/windows-10-1809-region-language-registry-keys
 # https://www.itprotoday.com/windows-78/where-registry-language-setting-each-user-stored

    -
@@ -1646,6 +1646,14 @@
         ValueName: RemotePath
         Recursive: true
         Comment: "Displays the UNC path for a mounted network share"
+    -
+        Description: Network Shares
+        HiveType: User
+        Category: Network Shares
+        KeyPath: Network
+        ValueName: RemotePath
+        Recursive: true
+        Comment: "Displays the UNC path for a mounted network share - Windows Store UWP"
     -
         Description: Network Shares
         HiveType: NTUSER
@@ -1654,6 +1662,14 @@
         ValueName: UserName
         Recursive: true
         Comment: "Displays the user account associated with the mounted network share"
+    -
+        Description: Network Shares
+        HiveType: User
+        Category: Network Shares
+        KeyPath: Network
+        ValueName: UserName
+        Recursive: true
+        Comment: "Displays the user account associated with the mounted network share - Windows Store UWP"
     -
         Description: Network Shares
         HiveType: NTUSER
@@ -1662,6 +1678,14 @@
         ValueName: ProviderName
         Recursive: true
         Comment: "Displays the provider of the mounted network share"
+    -
+        Description: Network Shares
+        HiveType: User
+        Category: Network Shares
+        KeyPath: Network
+        ValueName: ProviderName
+        Recursive: true
+        Comment: "Displays the provider of the mounted network share - Windows Store UWP"
 
 # https://social.technet.microsoft.com/Forums/ie/en-US/65eb8a2f-988f-40a7-b6ff-616a050c8efc/list-all-mapped-drives-for-all-users-that-have-logged-into-a-computer?forum=ITCG
 
@@ -1672,6 +1696,13 @@
         KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
         Recursive: false
         Comment: "Displays drives that were mapped by the user"
+    -
+        Description: Network Drive MRU
+        HiveType: User
+        Category: Network Shares
+        KeyPath: Software\Microsoft\Windows\CurrentVersion\Explorer\Map Network Drive MRU
+        Recursive: false
+        Comment: "Displays drives that were mapped by the user - Windows Store UWP"
 
 # https://community.spiceworks.com/topic/137045-remove-previously-mapped-network-drive-paths
 # https://answers.microsoft.com/en-us/windows/forum/windows_7-networking/cleanup-network-drives-list/1247aca3-deb6-493d-b937-24b40087cbc7?auth=1
@@ -2194,6 +2225,13 @@
         KeyPath: Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
         Recursive: false
         Comment: "Displays recent files accessed by the user with MS WordPad"
+    -
+        Description: Recent File List
+        HiveType: User
+        Category: User Activity
+        KeyPath: Software\Microsoft\Windows\CurrentVersion\Applets\Wordpad\Recent File List
+        Recursive: false
+        Comment: "Displays recent files accessed by the user with MS WordPad Windows Store Version"
 
 # https://forensafe.com/blogs/wordpad_recent_files.html