Bypass Detection·Jun 2, 2026

Wexize Bypass: BAM Registry & Prefetch Execution Trail

Wexize Revamp.exe claims anti-forensic properties, but Windows execution telemetry tells a different story. BAM registry timestamps, a PcaSVC entry at offset 0xac424d0, Prefetch records readable via WinPrefetchView, and LastActivityView all independently preserve the execution event — none of which the bypass clears on exit.

FiveMBypass DetectionBAM RegistryPrefetchIOC

Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.

Overview

Wexize Revamp is a FiveM anti-cheat bypass that markets itself with claims of clean execution — implying it leaves no forensic footprint. In practice, Windows' own execution telemetry subsystems record the binary's launch and preserve that record in multiple independent locations that the bypass does not and, in most cases, cannot clear without triggering its own detection.

The Background Activity Monitor (BAM), a Windows kernel-mode driver that tracks application execution for battery and performance management, writes a timestamped registry entry for every executed binary under the current user's SID. The Wexize loader binary — Wexize Revamp.exe — appears in this hive with its full execution path and a FILETIME timestamp. Disabling or tampering with the BAM service to erase this entry would itself be a detectable anomaly.

Supplementary artifacts include a PcaSVC (Program Compatibility Assistant Service) log entry at offset 0xac424d0, a Windows Prefetch file for the binary name, and a LastActivityView event log record. Together these form a quadruple-corroborated execution trail that establishes both the presence of the binary and the precise time it was run.

Primary IOCs

1

SHA-1 hash identification

The known SHA-1 hash for Wexize Revamp.exe is 404209b5e427ddb7ab14c6bd77044d13922f1db4. If the binary is still present on disk, compute the hash with certutil -hashfile "Wexize Revamp.exe" SHA1. A match confirms this specific build. Submit to VirusTotal to check for any additional vendor detections.

If the file has been deleted, the hash can sometimes be recovered from Prefetch metadata or from the PcaSVC log entry, both of which embed path information that can be correlated with NTFS journal creation records.

2

BAM registry entry — execution timestamp

Open Registry Editor or RegistryExplorer and navigate to HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\. Expand the subkey matching the current user's SID. Each binary value name is a full executable path; the value data is an 8-byte FILETIME representing the last execution time. Search for any value name containing Wexize or the path from which it was launched.

Parse the FILETIME binary value using RegistryExplorer's built-in converter or a hex-to-FILETIME utility. The decoded timestamp is the precise moment Windows last recorded the binary running. This timestamp cannot be altered by user-space tools without modifying a protected registry hive while the BAM driver is loaded.

3

PcaSVC entry at offset 0xac424d0

The Program Compatibility Assistant Service maintains a database of program execution events for compatibility telemetry. Open the PcaSVC log file (located under %SystemRoot%\AppCompat\Programs\ or accessible via the Windows Event Log under Application and Services Logs) and search for a record referencing Wexize Revamp.exe. The entry at offset 0xac424d0 contains the binary path, execution time, and compatibility flags recorded by Windows at runtime.

This artifact is independent of the BAM registry hive and is written by a different Windows subsystem, making it a reliable corroborating record even if one artifact is individually contested.

4

WinPrefetchView — Prefetch file record

Windows Prefetch files are stored at C:\Windows\Prefetch\ and contain execution metadata for launched executables. Open WinPrefetchView and look for an entry matching WEXIZE REVAMP.EXE or a similar normalized version of the filename. The Prefetch record includes the run count, last run time, and the list of files and directories accessed during the first few seconds of execution.

The Prefetch file itself is created or updated on every execution and persists on disk until the Prefetch cache is manually cleared or the system recycles old entries. Its presence confirms the binary ran on this machine regardless of whether the executable file has since been deleted.

5

LastActivityView — execution timeline

Open NirSoft's LastActivityView utility, which aggregates execution evidence from multiple sources including Prefetch, BAM, and event logs into a unified timeline. Search for Wexize in the description or filename column. The matching entry will display the execution time, action type, and data source that recorded it, allowing quick cross-reference against the BAM timestamp.

When the BAM timestamp and the LastActivityView record agree to within seconds, the execution event is corroborated by at least two independent telemetry systems — a strong evidentiary standard for enforcement action.

BAM Registry Analysis

The Background Activity Monitor is a Windows kernel driver (part of the Power Management infrastructure) that records execution events to enable intelligent resource scheduling. It writes entries to HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings as a side effect of its primary scheduling function — not as a forensic or audit tool. This means cheat developers cannot simply "clear" the entries with a standard registry delete without stopping or disabling the BAM service itself.

Stopping the BAM service (a protected system driver) requires administrator privileges and leaves its own artifact: the service's start type, last state transition, and any related Event Log entries at ID 7036 (Service Control Manager). A subject whose BAM service is stopped or whose BAM registry subkey is suspiciously empty should themselves be treated as indicative of anti-forensic tampering.

BAM entries are keyed per user SID, meaning that entries for other user accounts on the same machine are stored in separate subkeys. If a bypass was run under a different user account, check all SID subkeys present — not only the one for the current logged-in user.

Screenshare Check Methodology

1

BAM registry inspection via regedit

Ask the subject to open regedit as administrator and navigate to HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings. Have them expand their user SID subkey and scroll through the binary values on screen. Look for any path value containing Wexize or unusual executables in Downloads or user-writable directories. Ask them not to close any dialogs while you review.

2

WinPrefetchView scan

Open WinPrefetchView (portable, no install required) and sort by Last Run time descending. Share the full window on screen. Search for Wexize using the Find function. If a Prefetch record is present, it will display the full path and execution count. Export the results to a text file for documentation.

3

LastActivityView execution timeline

Run LastActivityView and wait for it to finish aggregating sources. Sort by Action Time descending. Use Find to search for Wexize. Any result confirms execution recorded by at least one Windows telemetry subsystem. Note the source column — it will identify which artifact type (Prefetch, BAM, Event Log) generated the record.

4

PcaSVC log review

Open Event Viewer and navigate to Applications and Services Logs. Search for entries from the source PcaSvc within the relevant session timeframe. Alternatively, export the PcaSVC database file from %SystemRoot%\AppCompat\Programs\ and open it with a compatible viewer. Look for the Wexize executable path and the recorded execution time.

5

Hash the binary if still present

If Wexize Revamp.exe is still present anywhere on disk (Downloads, Desktop, AppData), run certutil -hashfile <path> SHA1 and compare the output against the known hash 404209b5...db4. A match confirms this specific build. Submit to VirusTotal on screen for live detection results.

Detection Notes

The primary defense value of the BAM registry artifact is its resistance to user-space tampering. Unlike Prefetch files, which can be deleted with elevated privileges by a knowledgeable user, the BAM hive entries require disabling a kernel driver and restarting the system to clear — an action that is itself a detectable and suspicious event in the Event Log.

When all four artifact types — BAM registry, PcaSVC, Prefetch, and LastActivityView — agree on the same executable path and a consistent timestamp window, the evidentiary chain is effectively unbreakable through software means alone. Wexize's anti-forensic marketing claims do not address any of these telemetry layers.

Investigators should document the PcaSVC offset 0xac424d0 as a version-specific fingerprint. If future Wexize builds alter the binary, the offset will change — but the BAM and Prefetch indicators will continue to apply to any executable with the Wexize name or file path pattern.