Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts

BatchExamples/DFIRBatch.md

@@ -67,6 +67,7 @@ Example entry, please follow this format:
 | 2.16 | 2025-07-18 | Added More User.dat Windows Store UWP Artifacts - Network Share and WordPad |
 | 2.17 | 2025-07-20 | Added ApplicationAssociationToasts and More Office MRU Artifacts |
 | 2.18 | 2025-09-01 | Added ConsentStore Artifacts |
+| 2.19 | 2025-09-02 | Added Desktop IconLayouts, DB Browser for SQLite and WinMerge Artifacts |
 
 # Documentation
 
@@ -85,6 +86,5 @@ As of May 2024, the following plugins are not being leveraged:
 
 * [DHCPNetworkHint](https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.DHCPNetworkHint)
 * [FeatureUsage](https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.FeatureUsage)
-* [IconLayouts](https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.IconLayouts)
 * [NetworkSettings](https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.NetworkSettings)
 * [TaskFlowShellActivities](https://github.com/EricZimmerman/RegistryPlugins/blob/master/RegistryPlugin.TaskFlowShellActivities/TaskFlowShellActivities.cs)

BatchExamples/DFIRBatch.reb

@@ -1,6 +1,6 @@
 Description: DFIR RECmd Batch File
 Author: Andrew Rathbun
-Version: 2.18
+Version: 2.19
 Id: 6e68cc0b-c945-428b-ab91-c02d91c877b8
 Keys:
 #
@@ -2570,6 +2570,20 @@ Keys:
 
 # https://www.cyberengage.org/post/registry-system-configiuration-tracking-microphone-and-camera-usage-in-windows-program-execution
 
+# User Activity -> Desktop IconLayouts
+
+    -
+        Description: Desktop IconLayouts
+        HiveType: NTUSER
+        Category: User Activity
+        KeyPath: Software\Microsoft\Windows\Shell\Bags\1\Desktop
+        Recursive: false
+        Comment: "Displays the desktop icon layout, Observed in Windows 11 to be arranged from top to bottom in columns from the top left of the screen."
+
+# IconLayouts plugin - https://github.com/EricZimmerman/RegistryPlugins/tree/master/RegistryPlugin.IconLayouts
+# In Windows 11 icons appear from the top left of the screen, filling downwards, then moving to the next column going from left to right.
+# https://github.com/kacos2000/Win10/blob/master/Desktop_IconLayouts.pdf
+
 # --------------------
 # AUTORUNS
 # --------------------
@@ -3471,6 +3485,26 @@ Keys:
         Recursive: true
         Comment: "Displays artifacts relating to Angry IP Scanner"
 
+# Third Party Applications -> DB Browser for SQLite - https://sqlitebrowser.org/
+
+    -
+        Description: DB Browser for SQLite
+        HiveType: NTUSER
+        Category: Third Party Applications
+        KeyPath: Software\sqlitebrowser\sqlitebrowser
+        Recursive: true
+        Comment: "Displays artifacts relating to DB Browser for SQLite"
+
+# Third Party Applications -> WinMerge - https://winmerge.org/
+
+    -
+        Description: WinMerge
+        HiveType: NTUSER
+        Category: Third Party Applications
+        KeyPath: Software\Thingamahoochie\WinMerge
+        Recursive: true
+        Comment: "Displays artifacts relating to WinMerge"
+
 # --------------------
 # CLOUD STORAGE
 # --------------------