Didier Stevens

Monday 3 September 2007

The New Windows Vista, Now With Less Spying! ;-)

Filed under: Forensics,Reverse Engineering — Didier Stevens @ 5:56

I’m conducting research into the different types of values the UserAssist registry keys can adopt and what user actions cause a particular value to be created/updated. You know, I mean values like UEME_RUNPATH, UEME_RUNPIDL, UEME_UITOOLBAR, …

But this is for an upcoming blogpost. Today, I want to talk about something surprising I found with the UserAssist keys in Windows Vista.

When trying to understand a system, you often acquire valuable insights by comparing the system under scrutiny with slightly different systems. I’ve reported in the past that the UserAssist keys also exist on Windows Vista and that there is an extra Count key. Now, I wanted to find out which new types of values have been added to Windows Vista. I had quite a surprise looking for UEME strings in the browserui.dll of Vista (version 6.0.6000.16386). Contrary to what I expected to find, Microsoft didn’t add new types but removed many existing types. Here are the only UEME strings I found in the Vista DLL:

UEME_RUNPATH
UEME_CTLCUACount:ctor
UEME_CTLSESSION
UEME_RUNPIDL
UEME_RUN

Compare this to all the UEME strings present in the XP DLL (version 6.00.2900.3157):

UEME_CTLCUACount:ctor
UEME_CTLSESSION
UEME_DBSLEEP
UEME_DBTRACE
UEME_DBTRACEA
UEME_DBTRACEW
UEME_DONECANCEL
UEME_DONEFAIL
UEME_DONEOK
UEME_ERROR
UEME_ERRORA
UEME_ERRORW
UEME_INSTRBROWSER
UEME_RUN
UEME_RUNCPLA
UEME_RUNCPLW
UEME_RUNINVOKE
UEME_RUNOLECMD
UEME_RUNPATHA
UEME_RUNPATHW
UEME_RUNPIDL
UEME_RUNWMCMD
UEME_UIHOTKEY
UEME_UIMENU
UEME_UIQCUT
UEME_UISCUT
UEME_UITOOLBAR
UEME_USER

Why do I find this surprising? It’s not often that the functionality of a feature decreases when a new version is released, the opposite is often true. But I assume that some of the values didn’t make sense anymore in the redesigned Start Menu of Windows Vista. Hence the Microsoft programmers cleaned-up their code.

Here’s a little experiment you can try to confirm the removal of the UEME_UITOOLBAR value:

Open an Explorer window on Windows XP SP2 and click on the Search button on the Toolbar. With my UserAssist tool, you can check that an UEME_UITOOLBAR:0x1,123 entry has been added (or updated). 123 is the ID (hexadecimal) of the Search button.

Now on Windows Vista, the ability to customize the layout and buttons on the toolbars has been removed. But try the new search function anyway. No UEME_UITOOLBAR entry will be created. It’s only logical that if you cannot customize the toolbar anymore, the need to collect data about frequently used programs on that same toolbar disappears.

Another experiment you can try is starting a Control Panel Applet, like Power Options. Launch the Power Options control panel. On XP, you’ll see an UEME_RUNCPL entry referencing powercfg.cpl. While on Vista, you’ll see an UEME_RUNPATH entry referencing control.exe. So on Vista, you can still tell the user started a Control Panel Applet, but you’ve lost the ability to tell which one.

Important conclusion for forensic investigators: be aware that less data is collected in the UserAssist keys on Windows Vista than on Windows XP/2003.

Now if you still find other keys on Windows Vista than the 5 I mentioned, I’m interested in hearing from you. But first, check that you’re not dealing with a workstation that has been upgraded from XP to Vista or with a user data migration scheme. Because in such cases, these entries stem from Windows XP and not from Windows Vista.

I’m also working on a new feature for my UserAssist tool. It allows you to select an UserAssist entry and get an explanation, like this:

userassist_explain_1.png

BTW, there are many of the UEME strings I listed for Windows XP, that I’ve never seen in actual UserAssist registry keys. It wouldn’t surprise me that they serve another internal, unknown purpose.

4 Comments »

  1. Great post, Didier! Excellent work!

    Comment by HCarvey — Monday 3 September 2007 @ 11:43

  2. Very nice program!

    If you are looking for suggestions I have one. The first time I tried your program the text was unreadable. This was because ROT13 was turned off.
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings noencrypt was set TRUE.

    Checking this flag or adding a menu item to toggle ROT13 would be helpful in these very unusual cases.

    Comment by Just Looking — Monday 3 September 2007 @ 15:07

  3. I know about the flag, and I’ve documented in my source code that I still have to provide support for it. Probably for next release.

    Comment by Didier Stevens — Tuesday 4 September 2007 @ 15:54

  4. […] looks like the UserAssist entries for Windows Server 2008 have the same format as for Windows Vista, my UserAssist tool can also extract the data from Windows Server […]

    Pingback by Quickpost: Windows Server 2008 UserAssist Keys « Didier Stevens — Tuesday 8 January 2008 @ 21:18


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 244 other followers

%d bloggers like this: