Didier Stevens

Tuesday 16 October 2007

UserAssist V2.4.1

Filed under: Forensics,My Software — Didier Stevens @ 6:36

The most important feature of this new UserAssist version is the explain command. Now you can right-click an entry, select explain and get a nice explanation for the selected entry, like this:

userassist_explain_1.png

I’ve spend some time researching all the different types of values the UEME strings can have and how they relate to user actions. The explain function contains everything I discovered. The source code for this feature is a prototype, I’ve been developing it as I discovered the logic behind the UEME strings, hence it is not a clean design and I plan to rewrite it once I get the full picture. Of course, this design is hidden for you as a user and you should not care about it.

The Logging Disabled switch is OS-aware (Windows XP, 2003 and Vista).

And the last new feature of this version is the support of cleartext Userassist entries (i.e. entries that are not ROT13 encoded). BTW, Windows Vista doesn’t support the NoEncrypt setting.

This version was also tested on Windows 2003, I didn’t notice a difference with Windows XP, but I must admit the testing was limited.

And I would like to test it on Windows 2008 while attending Microsoft IT Forum.

3 Comments »

  1. [...] UserAssist V2.4.1 [...]

    Pingback by Liquidmatrix Security Digest » Security Briefing: October 17th — Wednesday 17 October 2007 @ 10:39

  2. Thanks, Didier, for making a very useful tool even better! It seems to work fine on Vista systems, loading the dat file. A suggestion is to set an option or just allow the program to load wihtout scanning the local registry. I always use UA to interpret an exported hive, so it would be handier to open the app and choose a file. Thanks!

    Comment by Jimmy Weg — Monday 5 November 2007 @ 2:35

  3. I’ll include this suggestion in a new version.

    Comment by Didier Stevens — Monday 5 November 2007 @ 21:48


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 234 other followers

%d bloggers like this: