Remember that the UserAssist keys are encrypted with ROT13?
In Windows 7 Beta, not anymore! Weak ROT13 crypto has been replaced with “stronger” Vigenère crypto!
The Vigenère key I found through some basic cryptanalysis is BWHQNKTEZYFSLMRGXADUJOPIVC.
To the Microsoft developer who designed this: great joke! You really made me laugh. Seriously. 😎
And I thought Easter Eggs were banned in Microsoft products. Maybe you don’t think of it as an Easter Egg, but as a programmer, I do. 😉
Didier Stevens 
Thanks for posting this. I wonder if the key is the same for all systems or is uniquely generated. I don’t have Windows 7 yet. Did you use known plaintext, frequency analysis or magic to figure this out?
Comment by Dave Hull — Sunday 18 January 2009 @ 23:27
Through observation and some directed testing.
The key was the same for 2 different user accounts on the same machine. I’ll have to do more testing.
Comment by Didier Stevens — Sunday 18 January 2009 @ 23:34
This is the sort of thing i enjoy reading on a Sunday :-).
Perhaps it’s an textbook example on how the money is not made by fixing the issues, rather on iteratively improving the situation ever so slightly.
Comment by Pondo — Monday 19 January 2009 @ 0:08
Great work, Didier! I took a look at the UserAssist key last week and saw that…great job figuring out what MS had done…
Comment by keydet89 — Monday 19 January 2009 @ 10:14
Okay, I think I’ve worked up a method in Perl for decoding these…using the UserAssist entries from the Win7 VM from BitTorrent, it appears that the key you found is consistent across…well…two installations so far…
Comment by keydet89 — Monday 19 January 2009 @ 11:39
Thanks for the info keydet89! A common key for all installations and users would be the easiest to implement, and also for us to decode.
Comment by Didier Stevens — Monday 19 January 2009 @ 12:05
Great find Didier!!
I can also confirm your key is universal, as verified from my installs of Win7beta downloaded from MS(see below)
BWH QNKTEZY FSLMRGX ADUJOPIVC (KEY to test)
D:\Mvxwsvq\jpsvjft.ygs (Exported Win7 Beta – Encrypted UserAssist)
B W H Q N K T E Z Y F S L M R G X A D U J O (Key Match)
C : \ W I N D O W S \ r e g e d i t . e x e (Key Decode)
Nejhbchjs.Baypfcp.PymwpKzpuay (Exported Win7 Beta – Encrypted UserAssist)
B W H Q N K T E Z Y F S L M R G X A D U J O P I V C B W H (Key Match)
M I C R O S O F T . W I N D O W S . M E D I A C E N T E R (Key Decode)
D:\Mvxwsvq\kjekkj32\vgeidpu.lnr (Exported Win7 Beta – Encrypted UserAssist)
B W H Q N K T E Z Y F S L M R G X A D U J O P I V C B W H Q N (Key Match)
C : \ W I N D O W S \ S Y S T E M 3 2 \ M S P A I N T . E X E (Key Decode)
VATU_MMPRCXKTAE (Exported Win7 Beta – Encrypted UserAssist)
B W H Q N K T E Z Y F S L M R (Key Match)
U E M E _ C T L S E S S I O N (Key Decode)
Comment by SLEONE — Monday 19 January 2009 @ 19:37
Yes, the key is universal, at least for this beta version.
Anyway, even if Microsoft moves from Vigenère to something better, the decryption will always be possible. Windows needs to decrypt and use this all the time – to compile the most used programs list, for example.
A very nice finding indeed.
Congrats from Brazil,
Sandro Süffert
Comment by Sandro Suffert — Monday 19 January 2009 @ 20:59
I wonder if this is part of an encrypted MS Bob binary…
http://technet.microsoft.com/en-us/magazine/2008.07.windowsconfidential.aspx
Comment by Scott — Tuesday 20 January 2009 @ 1:29
[…] Windows 7 — Didier Stevens @ 8:41 I asked Steve Riley if he has inside information on the move from ROT13 to Vigenère for the UserAssist keys. It’s part of the beta program, to test upgrades. The final version of Windows 7 and Windows […]
Pingback by Quickpost: Vigenère Is Beta-Only « Didier Stevens — Thursday 29 January 2009 @ 8:41
[…] And I’ll be posting a new version to support the new UserAssist registry key format of Windows 7 and Windows 2008 R2. […]
Pingback by Update: UserAssist Tool Version 2.4.3 « Didier Stevens — Tuesday 11 August 2009 @ 16:07
Hi
I would really like to know what the joke is in the key. Programming is just too clver for me
Comment by Quentin — Monday 19 August 2013 @ 1:59
@Quentin Vigenère is a slightly improved cipher compared to ROT-13, but it still offers no real confidentiality. That’s the joke.
Comment by Didier Stevens — Saturday 24 August 2013 @ 11:45