What Windows Timeline / Activity History?
Its primary purpose is to store a chronological record of a user's activities on a device, allowing you to "pick up where you left off" across different sessions or even different devices synced to the same Microsoft account. The database tracks "Activities," which Windows defines as specific interactions with applications or content. This includes:
- Application Usage: Which apps were opened and for how long.
- File Access: Specific documents, images, or folders you interacted with.
- Web Browsing: Pages visited (primarily via Microsoft Edge).
- Cross-Device Syncing: If enabled, it stores data from other Windows devices signed into the same account.
- Application Usage: Which apps were opened and for how long.
- File Access: Specific documents, images, or folders you interacted with.
- Web Browsing: Pages visited (primarily via Microsoft Edge).
- Cross-Device Syncing: If enabled, it stores data from other Windows devices signed into the same account.
This file lives under:
It is the SQLite database used by Windows Timeline & Activity History. You can view the db file using this free tool DB Browser for SQLite (sqlitebrowser.org). It's not encrypted. See below for meaningful query. Windows writes to it whenever:
Activity History is enabled
Cloud sync is enabled
Certain shell events occur (app launches, document usage, etc.)
Even if you never use Timeline, Windows 10/11 still tries to write to it unless the feature is fully disabled. It's hard to turn off.
How to Stop Windows from Writing to ActivitiesCache.db
Here’s the important part: There is no supported registry key that directly disables the database itself. But you can disable every subsystem that feeds it, which effectively stops writes.
Below is the forensically correct way to shut it down.
✅1. Disable Activity History (User Setting)
Go to:
Settings → Privacy → Activity history
Turn off:
Store my activity history on this device
Send my activity history to Microsoft
Then click Clear activity history.
This stops the user-mode Activity History pipeline.
✅ 2. Disable Activity History via Group Policy (Stronger)
For Windows 10/11 Pro/Enterprise:
Navigate to:
Computer Configuration → Administrative Templates → System → OS Policies
Enable:
Allow publishing of User Activities → Disabled
Allow upload of User Activities → Disabled
This blocks the Activity Feed service from writing new rows.
✅ 3. Disable Connected Devices Platform (CDP) Services
These services feed the ActivitiesCache pipeline:
Connected Devices Platform Service (CDPSvc)
Connected Devices Platform User Service_XXXX
Clipboard User Service_XXXX
- Clipboard History: It allows you to store multiple items in your clipboard (accessed via Win + V) instead of just the most recent one.
- Cloud Synchronization: It enables the "Sync across devices" feature, allowing you to copy text or images on one PC and paste them onto another linked device.
Data Formatting: It handles the background processing required to ensure that different types of data (plain text, HTML, images) are correctly formatted when pasted into different applications.NOTE: I have test this copying a HTML file to Word document using a Clipboard Spy and all formats appear.
Set both to:
Startup type: Disabled
Stop the service
⚠️ Note: Some Bluetooth and cross-device features depend on CDP. But for forensic lockdown, this is the most effective method.
Yes — but with caveats. Open WinKey+R -> Regedit
You can disable the template service:
Start = 4 (Disabled)
However:
Windows may still create the per‑user instance key
The instance will inherit
Start=4and will not runThis is functionally equivalent to disabling it in services.msc
This aligns with guidance that CDPSvc/CDPUserSvc can be disabled if not needed.
Start=4):Windows still creates
CDPUserSvc_<RANDOM>But the instance never starts
No CDP activity is generated
ActivitiesCache.db stops receiving CDP‑originated events
The DB may still be created as a placeholder, but remains static
This matches your goal of stopping writes to ActivitiesCache.db.
✅ 4. Block the Scheduled Tasks That Feed It
Disable these tasks:
FamilySafetyMonitor
FamilySafetyRefresh
ShellExperienceHost
Windows Error Reporting → QueueReporting
These tasks generate Activity History events.
✅ 5. Forensic Verification
Since you’re a Windows internals forensic specialist, here’s the deterministic check:
After disabling everything:
Delete or rename the existing DB:
ActivitiesCache.db → ActivitiesCache.db.disabledReboot.
Observe whether a new DB is created.
If all policies + services are disabled, Windows will not recreate the DB. If it does reappear, something is still feeding the pipeline.
What Doesn’t Work
These myths float around, but they do not stop writes:
| Method | Why it fails |
|---|---|
| Setting file ACL to deny writes | Windows retries endlessly; CDP logs errors; DB may be recreated elsewhere |
| Deleting the DB only | Windows recreates it immediately |
| Disabling “Let Windows collect my activities” alone | CDP still writes local events |
| Registry hacks from old blogs | Most are ignored in Win10 1809+ |
SELECT Id, AppId, AppActivityId, CASE WHEN AppId LIKE 'win32_%' THEN SUBSTR(AppId, 7) WHEN AppId LIKE 'Microsoft.Windows.%' THEN 'Windows Store App' WHEN AppId LIKE '%exe%' THEN REPLACE(AppId, 'win32_', '') ELSE AppId END as ApplicationName, ActivityType, CASE ActivityType WHEN 1 THEN 'Application Launch' WHEN 2 THEN 'Application Focus' WHEN 3 THEN 'Application Close' WHEN 4 THEN 'File Open' WHEN 5 THEN 'Web Browse' ELSE 'Unknown' END as ActivityTypeName, datetime(StartTime / 10000000 - 62135596800, 'unixepoch', 'localtime') as StartDateTime, datetime(EndTime / 10000000 - 62135596800, 'unixepoch', 'localtime') as EndDateTime, datetime(LastModifiedTime / 10000000 - 62135596800, 'unixepoch', 'localtime') as LastModified, CAST((EndTime - StartTime) / 10000000.0 AS REAL) as DurationSeconds, Payload, json_extract(Payload, '$.DisplayText') as DisplayName, json_extract(Payload, '$.Description') as WindowTitle, json_extract(Payload, '$.ContentUri') as FilePath, json_extract(Payload, '$.AppInfo.DisplayName') as AppDisplayName, "Group", MatchId, CASE WHEN ActivityStatus = 0 THEN 'Active' WHEN ActivityStatus = 1 THEN 'Inactive' ELSE 'Unknown' END as ActivityStatus, PlatformDeviceId, CreatedInCloud, Priority, IsLocalOnly, UserActionState, IsRead FROM Activity WHERE ActivityType IN (1, 2, 3, 4, 5) -- Application related activities AND AppId IS NOT NULL ORDER BY StartTime DESC;
Results
=�H��VJZ J�Y8` [{"application":"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\VideoLAN\\VLC\\vlc.exe","platform":"windows_win32"},{"application":"{6D809377-6AF0-444B-8957-A3773F02200E}\\VideoLAN\\VLC\\vlc.exe","platform":"windows_win32"},{"application":"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\VideoLAN\\VLC\\vlc.exe","platform":"packageId"},{"application":"","platform":"alternateId"}] ECB32AF3-1440-4086-94E3-5311F97F89C4 [{"application":"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\VideoLAN\\VLC\\vlc.exe","platform":"windows_win32"},{"application":"{6D809377-6AF0-444B-8957-A3773F02200E}\\VideoLAN\\VLC\\vlc.exe","platform":"windows_win32"},{"application":"{7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\\VideoLAN\\VLC\\vlc.exe","platform":"packageId"},{"application":"","platform":"alternateId"}] 5 Web Browse 0000-12-31 19:02:57 0000-12-31 19:00:00 0000-12-31 19:02:57 -177.4757047 {"displayText":"VLC media player","activationUri":"ms-shellactivity:","appDisplayName":"VLC media player","backgroundColor":"black"} Unknown tdHHca9QssN0pKMtrZhm/e99sW2pw/4ggLkB7aOlFFE= 0 3 0 0 0
Exploring the Windows Activity Timeline, Part 3: The Value of Clipboard Content - Cellebrite
No comments:
Post a Comment