Didier Stevens

Saturday 8 September 2007

Disabling UserAssist Logging for Windows Vista

Filed under: Forensics,Reverse Engineering — Didier Stevens @ 20:14

For Windows XP, there is a secret trick to disable the creation of entries under the UserAssist registry keys:

under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist, create a key named Settings and under this new key create a DWORD value named NoLog with value 1. My UserAssist tool has a menu toggle (Logging disabled) to do this easily.

I call this a secret, because there is no official Microsoft documentation about this key, but of course, there are many pages on the Web about this switch.

This switch doesn’t work with Windows Vista. For Vista, you have to set the following key to 0 to disable logging:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs

But now, it’s not a secret anymore. Open the properties of the Start Menu:

userassist-privacy.png

The Store and display a list of recently opened programs checkbox allows you to toggle this Start_TrackProgs registry value.

Like for Windows XP, changing this switch only has effect after restarting Windows Explorer.

4 Comments »

  1. […] I didn’t do this for the UserAssist Vista post. I wanted to get this post out before my holiday, but should I have postponed it, I would have […]

    Pingback by Update: Disabling UserAssist Logging for Windows Vista « Didier Stevens — Tuesday 25 September 2007 @ 8:02

  2. What Win OS’s does UserAssist work under?

    Comment by Ronin Vladiamhe — Monday 1 June 2009 @ 20:15

  3. My UserAssist tool requires the .NET framework 2.0. The UserAssist registry keys appeared in Windows 2000.
    The format of the keys has changed in Windows 7 and Windows 2008 R2. As I’ve got news from Steve Riley (back then still working for Microsoft) that the format of the keys in the beta versions is still not fixed, I’ve not updated my tool for Windows 7 and Windows 2008 R2.

    Comment by Didier Stevens — Tuesday 2 June 2009 @ 8:34


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 239 other followers

%d bloggers like this: