Object access auditing has been around in NT since the mid-1990s, if not from the beginning. It's not some secret spyware, it is literally a feature that is widely used and is a requirement for high-security environments (e.g. government systems) when you need to be able to log or prove if someone did or did not access some sensitive information. E.g. insider threat scenario.

https://docs.microsoft.com/en-us/windows/security/threat-pro...

It’s off by default! (Only the domain controllers enable a subset of it.)

You can make it log everything, but the performance hit is noticeable.

Next thing you’re going to start complaining about dtrace spying on you.

Others also seem to think I am pointing out some secret feature. None of this is a secret, just not obvious to people who didn't think to look for it. Defaults matter.

You have to register to see it, but this is a SANS poster which summarizes common Windows forensic artifacts and what data can be obtained from them:

https://www.sans.org/posters/windows-forensic-analysis/

Checkout amcache and shimcache, recent files, bam/dam. https://andreafortuna.org/2017/10/16/amcache-and-shimcache-i...