# UserAssist

{% embed url="<https://forensafe.com/blogs/UserAssist.html>" %}

{% embed url="<https://imphash.medium.com/userassist-with-a-pinch-of-salt-as-an-evidence-of-execution-4dc4e9640a77>" %}

### Forensic Value:

* Last Run Time (UTC)
* Run Count
* Application Name
* Focus Time: Total time an application window was active, expressed in miliseconds.
* Focus Count: Total number of times a window was the active window in the GUI.

### File Location:

* NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2FmlSFcwYBpPfuahZuIs4i%2Fimage.png?alt=media&#x26;token=a2378fba-03a8-4dc4-a174-80b6a2fc7106" alt=""><figcaption></figcaption></figure>

### Parsing Data

Use Registry Explorer for nice output. For scalable analysis RECmd is best.

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2Frl1kJ9IW4sSaa9valNdK%2Fimage.png?alt=media&#x26;token=61cfd5b6-4452-4602-b84c-c2aadf93a3e4" alt=""><figcaption></figcaption></figure>

### Facts

* CEB GUID tracks application execution.

  * Directly clicking .exe
  * Shell extensions
  * The start menu
  * Double clicking document leading to a viewer (wordpad).

* F4E GUID tracks LNK file execution.

* ROT 13 encoded&#x20;

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2F63htiJJOyspurdMqxAPb%2Fimage.png?alt=media&#x26;token=c7d95498-ca07-4387-b385-76fc91f1dd05" alt=""><figcaption></figcaption></figure>

### Considerations

* Bogus start times usually relate to automatic execution of programs under the current user context. Does not mean user explicitly started the program.
* Pathnames can be obscured with KNOWNFOLDERID name.

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2FUdfFdD70WOiW9bLkg2jP%2Fimage.png?alt=media&#x26;token=c39b0b6a-b9b1-4f86-9c65-247c3d7a6fb1" alt=""><figcaption></figcaption></figure>

* Entries can be added during installation.
* Entries can be added by clicking "Open File Location"
* Missing run counts and last run time for programs automatically started by Windows.

<figure><img src="https://3278866189-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fu4e057u3LTRKJEHFetwE%2Fuploads%2FAOdKn5WYU7cK2Hnl1LWU%2Fimage.png?alt=media&#x26;token=a2c54ca4-62c4-4eac-806d-35decf825c0a" alt=""><figcaption></figcaption></figure>

### Anti-Forensics

* Deletion