Defensive use only. Detection methodologies published for server administrators, DFIR practitioners, and anti-cheat researchers. No evasion guidance is provided.
Overview
Wexize Revamp is a FiveM anti-cheat bypass that markets itself with claims of clean execution — implying it leaves no forensic footprint. In practice, Windows' own execution telemetry subsystems record the binary's launch and preserve that record in multiple independent locations that the bypass does not and, in most cases, cannot clear without triggering its own detection.
The Background Activity Monitor (BAM), a Windows kernel-mode driver that tracks application execution for battery and performance management, writes a timestamped registry entry for every executed binary under the current user's SID. The Wexize loader binary — Wexize Revamp.exe — appears in this hive with its full execution path and a FILETIME timestamp. Disabling or tampering with the BAM service to erase this entry would itself be a detectable anomaly.
Supplementary artifacts include a PcaSVC (Program Compatibility Assistant Service) log entry at offset 0xac424d0, a Windows Prefetch file for the binary name, and a LastActivityView event log record. Together these form a quadruple-corroborated execution trail that establishes both the presence of the binary and the precise time it was run.
Primary IOCs
SHA-1 hash identification
The known SHA-1 hash for Wexize Revamp.exe is 404209b5e427ddb7ab14c6bd77044d13922f1db4. If the binary is still present on disk, compute the hash with certutil -hashfile "Wexize Revamp.exe" SHA1. A match confirms this specific build. Submit to VirusTotal to check for any additional vendor detections.
If the file has been deleted, the hash can sometimes be recovered from Prefetch metadata or from the PcaSVC log entry, both of which embed path information that can be correlated with NTFS journal creation records.
BAM registry entry — execution timestamp
Open Registry Editor or RegistryExplorer and navigate to HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings\. Expand the subkey matching the current user's SID. Each binary value name is a full executable path; the value data is an 8-byte FILETIME representing the last execution time. Search for any value name containing Wexize or the path from which it was launched.
Parse the FILETIME binary value using RegistryExplorer's built-in converter or a hex-to-FILETIME utility. The decoded timestamp is the precise moment Windows last recorded the binary running. This timestamp cannot be altered by user-space tools without modifying a protected registry hive while the BAM driver is loaded.
PcaSVC entry at offset 0xac424d0
The Program Compatibility Assistant Service maintains a database of program execution events for compatibility telemetry. Open the PcaSVC log file (located under %SystemRoot%\AppCompat\Programs\ or accessible via the Windows Event Log under Application and Services Logs) and search for a record referencing Wexize Revamp.exe. The entry at offset 0xac424d0 contains the binary path, execution time, and compatibility flags recorded by Windows at runtime.
This artifact is independent of the BAM registry hive and is written by a different Windows subsystem, making it a reliable corroborating record even if one artifact is individually contested.
WinPrefetchView — Prefetch file record
Windows Prefetch files are stored at C:\Windows\Prefetch\ and contain execution metadata for launched executables. Open WinPrefetchView and look for an entry matching WEXIZE REVAMP.EXE or a similar normalized version of the filename. The Prefetch record includes the run count, last run time, and the list of files and directories accessed during the first few seconds of execution.
The Prefetch file itself is created or updated on every execution and persists on disk until the Prefetch cache is manually cleared or the system recycles old entries. Its presence confirms the binary ran on this machine regardless of whether the executable file has since been deleted.
LastActivityView — execution timeline
Open NirSoft's LastActivityView utility, which aggregates execution evidence from multiple sources including Prefetch, BAM, and event logs into a unified timeline. Search for Wexize in the description or filename column. The matching entry will display the execution time, action type, and data source that recorded it, allowing quick cross-reference against the BAM timestamp.
When the BAM timestamp and the LastActivityView record agree to within seconds, the execution event is corroborated by at least two independent telemetry systems — a strong evidentiary standard for enforcement action.
BAM Registry Analysis
The Background Activity Monitor is a Windows kernel driver (part of the Power Management infrastructure) that records execution events to enable intelligent resource scheduling. It writes entries to HKLM\SYSTEM\CurrentControlSet\Services\bam\State\UserSettings as a side effect of its primary scheduling function — not as a forensic or audit tool. This means cheat developers cannot simply "clear" the entries with a standard registry delete without stopping or disabling the BAM service itself.
Stopping the BAM service (a protected system driver) requires administrator privileges and leaves its own artifact: the service's start type, last state transition, and any related Event Log entries at ID 7036 (Service Control Manager). A subject whose BAM service is stopped or whose BAM registry subkey is suspiciously empty should themselves be treated as indicative of anti-forensic tampering.
BAM entries are keyed per user SID, meaning that entries for other user accounts on the same machine are stored in separate subkeys. If a bypass was run under a different user account, check all SID subkeys present — not only the one for the current logged-in user.
Detection Notes
The primary defense value of the BAM registry artifact is its resistance to user-space tampering. Unlike Prefetch files, which can be deleted with elevated privileges by a knowledgeable user, the BAM hive entries require disabling a kernel driver and restarting the system to clear — an action that is itself a detectable and suspicious event in the Event Log.
When all four artifact types — BAM registry, PcaSVC, Prefetch, and LastActivityView — agree on the same executable path and a consistent timestamp window, the evidentiary chain is effectively unbreakable through software means alone. Wexize's anti-forensic marketing claims do not address any of these telemetry layers.
Investigators should document the PcaSVC offset 0xac424d0 as a version-specific fingerprint. If future Wexize builds alter the binary, the offset will change — but the BAM and Prefetch indicators will continue to apply to any executable with the Wexize name or file path pattern.