Program execution analysis using userassist key in modern windows. You may have arrived at this page either because you have been alerted by your symantec product about this risk, or you are concerned that. Clean windows 7 start menu mru list stack overflow. My program allows you to display and manipulate these entries. Evidence of program execution evidence location description userassist ntuser. Magnet forensics tools will parse the userassist registry data and decode the rot encoded data, providing examiners with the file name and path, application run count, associated user, and the datetime when the program was last executed. Looking at the registry under system registry all navigate to hklm software microsoft windowsnt currentversion. Windows xp evidence of program execution bens ir notes. How to remove hackerware resolvedinactive general support. To disable logging in the userassist key, create a new dword in this key and name it nolog and assign a value of 1. The userassist registry key keeps track of the applications that were executed by a particular user. Gui, add, listview, vlst w700 h500, namedata loop,hkcu. Windows 98 windows me windows 2000 windows xp server 2003 windows vista server 2008.
You can prefix a runonce value name with an exclamation point. Sid\software\microsoft\windows\currentversion\explorer\userassist\guid\count\rot of path to tool\rot of tool executable. Userassist description guibased programs launched from the desktop are tracked in the launcher on a windows system. During the process i run a set of registry deletes to clear all the quick launch items from the start bar. Windows 7 copy profile issues deployment and imaging group. Im still intrigued that i found registry entries which are involved in both the desktop icons being rearranged and folder view settings changing. My team runs a performance lab where we run continuous integration tests of our software on windows 10. Blacklight displays information about the operating system including the version of windows and the installation date.
Hkcu\software\microsoft\windows \currentversion\explorer\userassist at this location you will find two guid numbers, as shown in the figure. Microsoft \ windows \ currentversion \ explorer \ userassist \cebff5cdace24f4f91789926f41749ea\ count \hrzr. Some people are suspicious of the userassist entries in the registry, mostly because they are encrypted. Software\microsoft\windows\currentversion\explorer\userassist\75048700ef1f11d09888006097deacf9\count not found. Feb 12, 20 windows 7 help forums windows 7 help and support system security windows 7. Inside each guid is a key named count, which holds the actual. Userassist registry key on windows xp, vista, 7 and 8 is located at ntuser. Virus affecting the userassist registry key, internet. Windows systems maintain a set of keys in the registry database userassist keys to keep track of programs that executed. Sep 14, 20 userassist registry key on windows xp, vista, 7 and 8 is located at ntuser. The number of executions and last execution date and time are available in these keys.
Dat\ software \ microsoft \ windows \ currentversion \ explorer \ userassist \guid\ count \. Dec 01, 2012 lets firstly take a look at what we see in my userassist registry key so we understand what our tool must export and parse and to be able to understand which applications have launched and from where. When i am trying to access data from a registry key reference. Software\ microsoft\ windows\ currentversion\ explorer\ userassist. You should see two subkeys called count, delete both these keys.
Mar 24, 2019 evidence of program execution evidence location description userassist ntuser. What it does is that it maintains a count of applications under each users ntuser. Gui, add, listview, vlst w700 h500, namedata loop,hkcu, software \\ microsoft \\ windows \\ currentversion \\ explorer \\ userassist \\5e6ab780774311cfa12b. Dat\software\microsoft\ windows\currentversion\explorer\ userassist\guid\count guibased programs launched from the desktop are tracked in the launcher on a windows system. May 23, 2018 hkcu\ software \ microsoft \ windows \ currentversion \ explorer \ userassist \guid\ count this key contains two guid subkeys cebff5cd executable file execution, f4e57c4b shortcut file execution. We where telling encryption jokes like rot26 at the office, until a colleague mentioned that a part of the windows registry is rot encrypted. Some people are suspicious of the userassist entries in the registry, mostly because they are. Hkcu\software\microsoft\windows\currentversion\exp lorer\userassist\. Dat\software\microsoft\windows\currentversion\explorer\comdlg32\opensavepidimru vista,7,8 identify the specific executable used by an application to open the files documented in the opensavemru. Im finding a weird issue with the copyprofile section of this. Dat\software\microsoft\windows\currentversion\explorer\wordwheelquery interpretation keywords are added in unicode and listed in temporal order in an mrulist win78 10 recycle bin description the recycle bin is a very important location on a windows. Opensubkeysoftware\microsoft\windows\currentversion\explorer\userassist.
The userassist utility displays a table of programs executed on a windows machine, complete with running count and last execution date and time. Within userassist, you will find a few guid keys that each have a corresponding count key. Windows explorer maintains this information in the userassist registry entries. View of windows registry showing information parsed by blacklight. Dat\ software \ microsoft \ windows \ currentversion \ explorer \ userassist and found this. All kinds of data is spread across the registry, but a good place to look when you want to forensically gather what was happening within the context of a user session is to look in hkcu\ software \ microsoft \ windows \ currentversion \ explorer \ userassist. Xp pro curious xp registry entries microsoft dslreports. On xp the start menu application usage is stored in hkcu\software\microsoft\windows\currentversion\explorer\userassist75048700ef1f11d09888006097deacf9 but explorer will cache those entries so you cant just delete the key without killing explorer first. Computer account forensic artifact extractor cafae. Decrypt userassist registry entries posted in scripts and functions. Which key in the recentdocs hive contains the sequence in which docs were accessed. Dat\ software \ microsoft \ windows \ currentversion \ explorer \comdlg32\opensavepidimru vista,7,8 identify the specific executable used by an application to open the files documented in the opensavemru. Without the exclamation point prefix, if the runonce operation fails.
It is important to note that these numbers are globally unique and are the same across platforms. Hkcu\ software \ microsoft \ windows \ currentversion \ explorer \ userassist at this location you will find two guid numbers, as shown in the figure. Understanding critical windows artifacts and their. Using a limited set of registry files and references, the respective os and the userassist s guid are as follows. Dat software\microsoft\windows\currentversion\explorer\userassist\ importance to investigators windows contains a number of registry entries under userassist that allows investigators to see what programs were recently executed on a system. Dat software\microsoft\windows\currentversion\explorer\userassist\. Software\microsoft\windows\currentversion\explorer\userassist\guid\count. The value names stored in this key are rot encrypted.
Run and runonce registry keys win32 apps microsoft docs. It will also contain an mrulist which will show the order of these with the first entry being the most recent. So, to move further into the depths and for a better understanding for myself, could this program be why i am having files show up from 4 years ago before or directly after formatting harddrive. The userassist key contains information about the exe files and links that are opened frequently.
Just off the top of my head, those all look legit, but somebody else can probably give you more info. In windows xp, to disable rot encryption in the userassist key, create a new dword in this key and name it noencrypt and assign a value of 1. This key is used to fill up user start menu with the frequently used guibased applications. Dat\software\microsoft\windows\currentversion\explorer\userassist\ guid\count interpretation all values are rot encoded guid for xp 75048700 active desktop guid for win7810. I remember the problem was solved, but as time went on i noticed that some windows explorer features got messed up. Ive recently been reworking our windows 7 build image and automating the process. Decrypt userassist entries ask for help autohotkey. Using a limited set of registry files and references, the respective os and the userassists guid are as follows.
Which encryption algorithm does the userassist registry key use. Lets firstly take a look at what we see in my userassist registry key so we understand what our tool must export and parse and to be able to understand which applications have launched and from where. Windows contains a number of registry entries under userassist that allows. Computer forensics registry locations flashcards quizlet. Chfi chapter 6 operating system forensics flashcards. The 2 issues are that my desktop icon positions are not. The userassist key, a part of microsoft windows registry, records the information. Apr, 2017 blacklight displays information about the operating system including the version of windows and the installation date. Userassistview decrypt and displays the list of all. Thanks lio yes, beginning to sound like more than one cause. Sign up tool that can monitor the userassist registry keys and decode userassist structs in realtime. How can i decrypt the registry entries from userassist, of course without changing anything in the registry. Install a system cleanup tool like ccleaner, say, and its able to delete the userassist keys every time it runs click cleaner, then the windows tab, scroll down to advanced and make sure user assist history is checked. Userassistcebff5cdace24f4f9178 9926f41749eacount registry inspect 12 feb 20.
Decrypt userassist registry entries scripts and functions. The userassist key contains information about the exe files and links that you open frequently. Dat\software\microsoft\windows\currentversion\explorer\userassist\guid\count\. Dat\software\microsoft\windows\currentversion\explorer\userassist and found this. Then i decrypted contents of \count key and it is some kind of history of favorites menu and aparently other customized menus. Toggle wifi radio or airplane mode via command line.
A quick glance at the userassist key in windows windows. The encryption mechanism can be turned off or logging disabled altogether. Dat\ software \ microsoft \ windows \ currentversion \ explorer \ userassist \guid\ count guibased programs launched from the desktop are tracked in the launcher on a windows system. Userassistview decrypt and displays the list of all userassist items. Hkcu\ software \ microsoft \ windows \ currentversion \ explorer \ userassist \5e6ab780774311cfa12b00aa004ae837\ count payload creates icons and desktop links. Sep 21, 2015 hi everyone, i seems to be having 2 issues with windows 10 pro x64 that occur simultaneously. Userassist can also delete the activity list on the current pc commands clear all. By default, the value of a runonce key is deleted before the command line is run. The binaries look like they belong to a compaq computer. If you post an obfuscated email address then im happy to send you a. Windows 7 forums is the largest help and support community, providing friendly help and advice for microsoft windows 7 computers such as dell, hp, acer, asus or. Dat\software\microsoft\windows\currentversion\explorer\userassist\ guid\count interpretation all values are rot encoded guid for xp 75048700 active desktop guid.
1005 127 612 1028 1350 160 512 603 377 994 8 1461 158 161 690 1220 1097 202 985 1648 1235 1346 319 763 703 1685 1585 1289 1474 409 195 579 789 433 908 757 1252 979 466 799 1437 301 792 1258 854