When to Use When investigating user activity on a Windows system during an incident For identifying autorun/persistence mechanisms used by malware When tracing installed software, USB devices, and ...