Recently, I came across a write-up by Andrea Fortuna highlighting a lesser-known PCA artifact in Windows 11, which led me to explore its practical use in SOC investigations.

When performing endpoint investigations, SOC and Incident Response analysts often rely on well-known artifacts like Prefetch, Event Logs, Jump Lists, and the Recycle Bin to determine user activity.

But what happens when these artifacts are missing, disabled, or deliberately wiped?

In Windows 11, there's a lesser-known artifact that can still provide valuable execution evidence — the Program Compatibility Assistant (PCA) logs.

What is PCA Artifact

The Program Compatibility Assistant (PCA) is a Windows component designed to detect and mitigate compatibility issues when applications are executed. In the process, it generates a log file that can be extremely useful for forensic analysis. With Windows 11 (22H2+), Microsoft added a more persistent text-based tracking mechanism to support that process.

Location: C:\Windows\appcompat\pca\PcaAppLaunchDic.txt

Key Advantage

It provides direct evidence of execution — particularly for files launched through Explorer.exe, which is common in user-driven actions like opening downloaded files or email attachments.

Why This Artifact Matters

As analysts, we typically depend on artifacts such as:

  • Prefetch files
  • Jump Lists
  • Event Logs
  • Recycle Bin entries

However, in real-world environments:

  • Prefetch may be disabled
  • Logs may be noisy or rotated
  • Artifacts may be deleted by attackers
  • Filtering relevant entries becomes time-consuming

This is where the PCA artifact becomes valuable.

Limitation

The PCA log only records executions triggered via Explorer.exe.

It does not capture executions from:

  • PowerShell
  • Command Prompt
  • Scheduled tasks
  • Other non-GUI execution methods

So while it's not a complete source of truth, it's a high-confidence artifact for user-driven execution.

SOC & IR Application

This artifact can be integrated into your investigation workflow:

  • Perform live response collection from endpoints
  • Retrieve the PCA log remotely
  • Correlate entries with:
  • EDR alerts
  • File paths (especially Temp/AppData)
  • Timeline of events

While PCA logs are not a complete source of truth, they can act as supporting evidence when reconstructing timelines, validating user activity, and strengthening incident findings — especially in cases where other artifacts are missing or inconclusive.

In the next blog, I'll walk through how to hunt for PCA-related activity using EDR queries and other practical approaches, so this artifact can be operationalized within SOC workflows.

Reference

This blog was inspired by the research shared by Andrea Fortuna.