Comments on: Update: UserAssist utility http://blog.didierstevens.com/2006/08/04/update-userassist-utility/ (blog 'DidierStevens) Tue, 09 Mar 2010 09:33:38 +0000 http://wordpress.com/ hourly 1 By: Didier Stevens http://blog.didierstevens.com/2006/08/04/update-userassist-utility/#comment-35107 Didier Stevens Wed, 10 Jun 2009 08:35:09 +0000 https://didierstevens.wordpress.com/2006/08/04/update-userassist-utility/#comment-35107 Yes it will leave traces, the tool is not designed not to leave traces. Yes it will leave traces, the tool is not designed not to leave traces.

]]> By: Ronin Vladiamhe http://blog.didierstevens.com/2006/08/04/update-userassist-utility/#comment-35097 Ronin Vladiamhe Tue, 09 Jun 2009 21:48:50 +0000 https://didierstevens.wordpress.com/2006/08/04/update-userassist-utility/#comment-35097 Actually, looks like your app no longer exists. Actually, looks like your app no longer exists.

]]> By: Ronin Vladiamhe http://blog.didierstevens.com/2006/08/04/update-userassist-utility/#comment-35096 Ronin Vladiamhe Tue, 09 Jun 2009 21:46:04 +0000 https://didierstevens.wordpress.com/2006/08/04/update-userassist-utility/#comment-35096 Question answered, yes, though .NET Framwork 2.0 is required on the pc being UA'd. Will it leave any "traces" when run as a portable app? Question answered, yes, though .NET Framwork 2.0 is required on the pc being UA’d. Will it leave any “traces” when run as a portable app?

]]> By: Ronin Vladiamhe http://blog.didierstevens.com/2006/08/04/update-userassist-utility/#comment-35095 Ronin Vladiamhe Tue, 09 Jun 2009 21:41:43 +0000 https://didierstevens.wordpress.com/2006/08/04/update-userassist-utility/#comment-35095 I've been using UserAssistView (v1.00, NirSoft) for a few months now, and recently came across your app. Can it be used, with its full set of features, from removable media (CD/DVD, USB)? I’ve been using UserAssistView (v1.00, NirSoft) for a few months now, and recently came across your app. Can it be used, with its full set of features, from removable media (CD/DVD, USB)?

]]> By: Jon Meads http://blog.didierstevens.com/2006/08/04/update-userassist-utility/#comment-43 Jon Meads Sun, 20 Aug 2006 21:59:31 +0000 https://didierstevens.wordpress.com/2006/08/04/update-userassist-utility/#comment-43 I can't seem to run the UserAssist program. I installed the .Net Framework, restarted the computer and moved UserAssist to the C: directory (though I'd prefer to have it ona different system. When I double click C:\UserAssist\bin\Release\UserAssist.exe, I see a pointer with an horglass and then nothing. Cheers, jon I can’t seem to run the UserAssist program. I installed the .Net Framework, restarted the computer and moved UserAssist to the C: directory (though I’d prefer to have it ona different system. When I double click C:\UserAssist\bin\Release\UserAssist.exe, I see a pointer with an horglass and then nothing.

Cheers,
jon

]]> By: Didier Stevens http://blog.didierstevens.com/2006/08/04/update-userassist-utility/#comment-32 Didier Stevens Wed, 09 Aug 2006 17:33:25 +0000 https://didierstevens.wordpress.com/2006/08/04/update-userassist-utility/#comment-32 I don't have yet a full understanding of the Session ID, but here's what I discovered: - these obversations apply for the 2 count keys: {5E6AB780-7743-11CF-A12B-00AA004AE837} and {75048700-EF1F-11D0-9888-006097DEACF9} - each count key has its own session ID and appears to work independently from the other - each time an entry with 16 bytes of binary data is created or updated, the 4 first bytes are set equal to the 4 last bytes of the binary data of the UEME_CTLSESSION entry. Thats why I call those numbers session IDs. - example: you launch notepad, the session ID of UEME_CTLSESSION is 123, then the session ID for the notepad entry will be 123 - the session ID in UEME_CTLSESSION appears to increase each day with 1 (each day you use your computer) - after you've delete all entries and restarted Windows Explorer, the UEME_CTLSESSION entries are created with session IDs equal to 0 - the 4 first bytes of the binary data of the UEME_CTLSESSION entry is also a timestamp, but of anoher format which I've still to understand (it appears to count in units of 53.69 seconds). Hope this makes sense I don’t have yet a full understanding of the Session ID, but here’s what I discovered:

- these obversations apply for the 2 count keys: {5E6AB780-7743-11CF-A12B-00AA004AE837} and {75048700-EF1F-11D0-9888-006097DEACF9}
- each count key has its own session ID and appears to work independently from the other
- each time an entry with 16 bytes of binary data is created or updated, the 4 first bytes are set equal to the 4 last bytes of the binary data of the UEME_CTLSESSION entry. Thats why I call those numbers session IDs.
- example: you launch notepad, the session ID of UEME_CTLSESSION is 123, then the session ID for the notepad entry will be 123
- the session ID in UEME_CTLSESSION appears to increase each day with 1 (each day you use your computer)
- after you’ve delete all entries and restarted Windows Explorer, the UEME_CTLSESSION entries are created with session IDs equal to 0
- the 4 first bytes of the binary data of the UEME_CTLSESSION entry is also a timestamp, but of anoher format which I’ve still to understand (it appears to count in units of 53.69 seconds).

Hope this makes sense

]]> By: keydet89 http://blog.didierstevens.com/2006/08/04/update-userassist-utility/#comment-31 keydet89 Wed, 09 Aug 2006 01:11:01 +0000 https://didierstevens.wordpress.com/2006/08/04/update-userassist-utility/#comment-31 Cool tool! What's the offset to the session ID, and do you know what that maps to? I wrote some scripts for ProDiscover that parse this info, and I'd like to add this to them... Thanks, Harlan Cool tool! What’s the offset to the session ID, and do you know what that maps to? I wrote some scripts for ProDiscover that parse this info, and I’d like to add this to them…

Thanks,

Harlan

]]>