GhostTrace – a Windows forensic scanner that finds what “Uninstall” leaves behind (22 modules, read-only, offline)

I built a CLI tool for Windows that investigates software remnants across 22 forensic modules in a single pass. The idea: when you uninstall software, it says goodbye — but registry keys, prefetch entries, scheduled tasks, WMI subscriptions, BAM/DAM timestamps and more often stay behind. GhostTrace finds all of it. What it covers: Persistence (MITRE ATT&CK TA0003): Run/RunOnce keys, services, IFEO debugger, AppInit_DLLs, scheduled tasks via Task Scheduler COM API, WMI EventFilter/Consumer bindings Execution evidence (TA0002): Shimcache (AppCompatCache), Prefetch with XPRESS-Huffman decode (versions 26/30/31), BAM/DAM with per-SID last-run timestamps, UserAssist (ROT13), MUICache User activity: PowerShell history with cradle/encoded payload detection, RDP outbound history, RecentDocs, USB device history via USBSTOR, network artifacts (hosts redirects + connected networks) Installed software and disk residue: uninstall entries, startup approved state, filesystem trace in Program Files/ProgramData/AppData Design decisions: Read-only by default — scan never touches anything Cleanup only after explicit typed confirmation (no implicit click) Execution caches and history are excluded from cleanup — you don’t destroy evidence Zero network calls, zero telemetry Suspicious signal is data for analysis, not an automatic verdict Stack: C# · .NET 10 · Spectre.Console · Windows 10/11 x64 Download on GitHub: github.com/Devzinh/GhostTrace Happy to answer questions about the forensic modules or implementation decisions. submitted by /u/Green-Necessary-2325 [link] [comments]Technical Information Security Content & DiscussionRead More