search

UserAssist

Per user GUI-based execution.

LogoUserAssist Blogforensafe.comchevron-right
LogoUserAssist — with a pinch of Salt — As an “Evidence of Execution”Mediumchevron-right

hashtag
Forensic Value:

  • Last Run Time (UTC)

  • Run Count

  • Application Name

  • Focus Time: Total time an application window was active, expressed in miliseconds.

  • Focus Count: Total number of times a window was the active window in the GUI.

hashtag
File Location:

  • NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

hashtag
Parsing Data

Use Registry Explorer for nice output. For scalable analysis RECmd is best.

hashtag
Facts

  • CEB GUID tracks application execution.

    • Directly clicking .exe

    • Shell extensions

    • The start menu

    • Double clicking document leading to a viewer (wordpad).

  • F4E GUID tracks LNK file execution.

  • ROT 13 encoded

hashtag
Considerations

  • Bogus start times usually relate to automatic execution of programs under the current user context. Does not mean user explicitly started the program.

  • Pathnames can be obscured with KNOWNFOLDERID name.

  • Entries can be added during installation.

  • Entries can be added by clicking "Open File Location"

  • Missing run counts and last run time for programs automatically started by Windows.

hashtag
Anti-Forensics

  • Deletion

PreviousMUICacheNextSRUM

Last updated