UserAssist

Purpose and Function

The UserAssist artifact is a set of registry keys within each user's profile that functions as a Most Recently Used (MRU) list for applications launched through the Windows graphical shell (e.g., via the Start Menu, Desktop, or Explorer). Its primary system purpose is to populate lists of frequently used programs, helping to personalize the user experience.

From a DFIR perspective, UserAssist is a valuable source of evidence for tracking which GUI-based applications a specific user has launched, how many times they have launched them, and when they were last executed. It provides a user-centric view of program execution history.

Location and Structure

UserAssist data is stored within the current user's NTUSER.DAT registry hive. It can also be found in UsrClass.dat on newer Windows versions.

  • Location: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\

Within this key, there are typically two or more subkeys, each identified by a Globally Unique Identifier (GUID). Each GUID corresponds to a different type of program or shortcut:

  • {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}: Tracks the execution of .exe files and system items.

  • {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}: Tracks the execution of .lnk (shortcut) files.

Inside each GUID key is a Count subkey. The Count key contains a series of registry values where the actual forensic data is stored.

Data Encoding and Stored Metadata

A defining characteristic of UserAssist is that its data is encoded using the ROT-13 cipher, a simple letter substitution cipher. The names of the registry values are the ROT-13 encoded paths or names of the executed programs. Specialized forensic tools are required to decode this data into a human-readable format.

Once decoded, each UserAssist entry provides the following metadata:

  • Executable/Shortcut Name: The name of the program or shortcut that was launched. This can include full paths for items launched from specific locations.

  • Run Count: A counter that tracks the total number of times the program has been executed by the user.

  • Last Execution Timestamp: A FILETIME timestamp indicating the date and time the program was last launched.

  • Focus Time/Count (Windows 10+): Newer versions of Windows may also track the amount of time the application was in the foreground (had focus) and the number of times it gained focus.

Forensic Value

UserAssist is a powerful artifact for building a profile of a user's application usage. Its forensic value is significant for several reasons:

  • User-Specific Evidence: The data is stored in the user's private registry hive, directly linking program execution to a specific user account. This is critical in multi-user environments.

  • Historical Timeline: It provides a historical record of application launches, including a run count that can help establish patterns of use over time.

  • Proof of Execution: It serves as direct evidence that a user launched a specific GUI-based application, complementing other artifacts like Prefetch and BAM.

  • Detection of Anti-Forensics: The UserAssist keys are a common target for cleanup utilities (e.g., CCleaner) and manual deletion. Finding these keys empty on a system that is clearly in regular use, or finding evidence of their recent deletion (e.g., via a forensic registry parser), is a strong indicator of an attempt to cover tracks.

It is important to note that UserAssist primarily tracks programs launched through the GUI. Applications launched solely via the command line may not create an entry.

Reflection points (SS Contest)

For a ScreenSharer, UserAssist provides crucial context about a user's habits and can corroborate findings from other execution artifacts.

  • Corroborating Evidence: If Prefetch and BAM show the execution of a suspicious .exe, finding a corresponding entry in UserAssist strengthens the case by confirming the launch was initiated through the GUI, directly linking it to the user's actions.

  • Run Count as an Indicator: A high run count on a known cheat or suspicious tool can undermine claims that it was "run once by accident." It demonstrates a pattern of repeated use.

  • Tracking Renamed Cheats: UserAssist logs the name of the executable at the time of execution. If a cheater runs vape.exe and then renames it to homework.exe, the UserAssist entry will still point to vape.exe, preserving the original name.

PreviousBAM & DAMNextAmcache / Syscache

Last updated