UserAssist

Per user GUI-based execution.

UserAssist Blog

UserAssist — with a pinch of Salt — As an “Evidence of Execution”Medium

Forensic Value:

• Last Run Time (UTC)

• Run Count

• Application Name

• Focus Time: Total time an application window was active, expressed in miliseconds.

• Focus Count: Total number of times a window was the active window in the GUI.

File Location:

• NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Parsing Data

Use Registry Explorer for nice output. For scalable analysis RECmd is best.

Facts

• CEB GUID tracks application execution.

  • Directly clicking .exe

  • Shell extensions

  • The start menu

  • Double clicking document leading to a viewer (wordpad).

• F4E GUID tracks LNK file execution.

• ROT 13 encoded

Considerations

• Bogus start times usually relate to automatic execution of programs under the current user context. Does not mean user explicitly started the program.

• Pathnames can be obscured with KNOWNFOLDERID name.

• Entries can be added during installation.

• Entries can be added by clicking "Open File Location"

• Missing run counts and last run time for programs automatically started by Windows.

Anti-Forensics

• Deletion