Didier Stevens

Monday 18 September 2006

A Windows Live CD plugin for my UserAssist utility

Filed under: Reverse Engineering — Didier Stevens @ 15:24

I’ve published a BartPE plugin for my UserAssist utility, you can download it here (https, MD5 D43E519B7BCE90F31EB54884E7AA75C1 DE9D576C0F5FF8D33E039A5064BD8AFF). And I’m posting another movie.
Windows Live CDs are a popular troubleshooting and forensic investigation tool, they allow you to boot a (Windows) PC from a CD. Bart Lagerweij developed BartPE, a tool to create a Windows Live CD (a Windows “pre-install” environment CD), and several people build their own tools based on his work. The Ultimate Boot CD for Windows is based on BartPE.

Bart’s PE has an open architecture, you can integrate your own tools by making a dedicated plugin. My UserAssist utility uses the Microsoft .NET Framework 2.0, which is not supported by BartPE. You need to add Colin Finck’s Microsoft .NET Framework 2.0 plugin to the Ultimate Boot CD for Windows plugins to use my plugin.

You add plugins to the Ultimate Boot CD for Windows with the Plugins dialog:

plugins.PNG

Afterwards you create your own Ultimate Boot CD for Windows (you have to provide your own licensed Windows XP SP2 CD).

The UserAssist utility is located in the Programs/Forensics menu (when you boot from the CD):

screenshot.png

The UserAssist utility displays the activity of the current user at startup. This is of course not useful for a Live CD, because the profile of the current user of a Live CD is not persisted.

You will have to load the NTUSER.DAT registry hive of the user you want to investigate in RegEdit and export it to a reg file, before you can import it in UserAssist (I plan to add a feature to UserAssist to automate this task).

userassist.PNG

I’ve tested my plugin with the Ultimate Boot CD for Windows, not with BartPE.
There’s a movie here on YouTube, or hires (XviD) here showing you how to do this for user Employee.

8 Comments »

  1. What I want to do on my blog, is every few hours take the oldest post and move it to the
    front of the queue, all automatically. Anyone know if there is a plugin that can do this or
    a simple way to set up another plugin to do this (use my own feed perhaps)?
    Thanks.

    Comment by Joshua — Tuesday 12 December 2006 @ 21:00

  2. […] Update: A Windows Live CD plugin for my UserAssist utility Filed under: Forensics, My Software — Didier Stevens @ 8:16 I noticed that I forget to update the Windows Live CD plugin for UserAssist. […]

    Pingback by Update: A Windows Live CD plugin for my UserAssist utility « Didier Stevens — Monday 28 January 2008 @ 8:16

  3. where can i get another plugin such google chrome, office, or antivirus??

    Comment by Fryz — Tuesday 19 May 2009 @ 13:33

  4. No idea, I would start to look on the UBCD4WIN site.

    Comment by Didier Stevens — Tuesday 19 May 2009 @ 16:51

  5. I get ‘de9d576c0f5ff8d33e039a5064bd8aff’ for userassist.cab.

    You say D43E519B7BCE90F31EB54884E7AA75C1

    Comment by Lowell Anderson — Wednesday 23 December 2009 @ 16:52

  6. There is an update: http://blog.didierstevens.com/2008/01/28/update-a-windows-live-cd-plugin-for-my-userassist-utility/

    That’s why the hash has changed, but usually I include a version number in the file name, but I forgot to do this here. Anyways, DE9D576C0F5FF8D33E039A5064BD8AFF is the hash of the new version.

    Comment by Didier Stevens — Wednesday 23 December 2009 @ 18:18

  7. The link is faulty. Instead of /userassist.cab try /UserAssist.cab

    Comment by Anonymous — Monday 20 May 2013 @ 18:28

  8. Fixed.

    Comment by Didier Stevens — Sunday 26 May 2013 @ 10:08


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: