Didier Stevens

Wednesday 21 October 2009

A Windows 7 Launch Party Trick!

Filed under: Entertainment,Forensics,My Software,Windows 7 — Didier Stevens @ 17:19

In search of a new trick for that Windows 7 Launch Party you’re invited to? ;-)

Here’s one:

20091021-190621

You can download a beta version of my UserAssist tool here. Soon I’ll be posting a final version with details and source code.

24 Comments »

  1. Hello,

    This is a nice tool upgrade. Anyway, if the user is being hack and the hacker is exploring the windows explorer of the target, can it be detected that another user is using it so when it comes to investigation at least we can somehow separate a legitimate action from the legitimate user?

    Comment by Yaggi — Friday 6 November 2009 @ 3:48

  2. If it’s done with the same user account, no.

    Comment by Didier Stevens — Friday 6 November 2009 @ 14:28

  3. Thanks Didier for the clarification. Is this idea an opportunity for this tool to evolved and can be used for forensic evidence (one way of identfyig it would be abnormal operation of a certain account that can be flag by this tool)?

    I understand its a long way to go but Im excited that this tool would grow for the IT community forensic tool.

    Comment by Yaggi — Saturday 7 November 2009 @ 2:36

  4. […] forget to use the special version of my UserAssist tool on Windows 7 and Windows Server 2008 R2. Possibly related posts: (automatically generated) Leave […]

    Pingback by New Format for UserAssist Registry Keys « Didier Stevens — Monday 4 January 2010 @ 15:30

  5. Hy there! First off: thanks for your great work & effort! Very nice and helpful forensic tool.
    Have to point something out:

    Perhaps you can give explanations for the different counters: that the “Counter” table lists the number of times the application was launched in this Windows session (= since the last reboot) and the “Focus counter” table lists the overall application startups (= since the first Windows boot after install).

    Am I right with these assumption?
    Thanks in advance.

    Comment by Napo — Sunday 14 February 2010 @ 16:55

  6. @Napo: it’s slightly different. I’ve written an article that explains this in detail: http://blog.didierstevens.com/2010/01/04/new-format-for-userassist-registry-keys/

    Comment by Didier Stevens — Sunday 14 February 2010 @ 17:04

  7. Hey there,

    I’m writing to inquire as to the availability of the source code of your new UserAssist tool. I’m currently working on a project deploying Windows 7 and I’ve been tasked with prepopulating the MFU list on the start menu and before finding this site had almost completely decyphered the new format, but I’m against a wall here and just need a piece or two to knock this thing out. Is there any chance this code will be available soon? or I could get the parsing/setting function for the new format?

    Comment by Micah Rowland — Thursday 1 April 2010 @ 2:52

  8. Any chance we can get the source code for v2.5? BTW, I really enjoy your blog. Came across it not too long ago and I have found it extremely helpful. Thanks for everything and keep up the good work!

    Comment by Mark H. — Sunday 28 August 2011 @ 5:42

  9. @Mark The reason I’ve not published the source code yet is that I want to merge UserAssist code pre-W7 with v2.5. But if you want the source code, let me know.

    Comment by Didier Stevens — Sunday 28 August 2011 @ 21:10

  10. @Didier -> It’s all good. I was able to read through your post on “into the boxes” to make a “dirty coded” version of what I needed. Am I allowed to use your source or do I need to write my own? (my project will be a free, open-source project). Thanks again for all of your hard work and I love reading about your new alarm system!

    Comment by Mark H. — Monday 29 August 2011 @ 3:58

  11. @Mark No problem, it’s public domain.

    Comment by Didier Stevens — Monday 29 August 2011 @ 21:52

  12. @Didier -> Here’s a question that you may have the answer to: when running my program (C#) I use the command “System.Diagnostics.Process.Start(myprocess);”. When I run a program using this method, it doesn’t update the corresponding UserAssist key, (nor does it create a new key, not that it should). Is there a different method that I should be using to get it to update properly?

    Comment by Mark H. — Tuesday 30 August 2011 @ 19:39

  13. The “Focus time” (bytes 12-15) isn’t milliseconds for shortcuts (.Ink)
    It’s counting the number of times the shortcut was executed.

    Comment by Dobbelina — Wednesday 31 August 2011 @ 16:18

  14. @Mark UserAssist keys will only count programs started interactively by the user. I suggest you read my article about UserAssist in (IN)SECURE Magazine, take a look at my article list under Professional.

    Comment by Didier Stevens — Wednesday 31 August 2011 @ 18:19

  15. Also, just in case you (I’m sure you already know) or anyone else that goes through this post cares. you can add this code to convert the guid to folder path. (x = original guid path string -example -> “{6D809377-6AF0-444B-8957-A3773F02200E}\Adobe\Photoshop.exe”)

    Guid myguid = new Guid(x.Substring(1, 36));
    IntPtr pPath;
    string fullPath;

    if (SHGetKnownFolderPath(myguid, 0, IntPtr.Zero, out pPath) == 0)
    {
    fullPath = System.Runtime.InteropServices.Marshal.PtrToStringUni(pPath) + x.Split(‘}’)[1];
    System.Runtime.InteropServices.Marshal.FreeCoTaskMem(pPath);
    }

    Comment by Mark H. — Thursday 1 September 2011 @ 17:50

  16. […] of the tools available for this is called UserAssist, which need not be installed on the computer. After downloading and running, you can display more […]

    Pingback by 5 Ways to Track Windows Hidden Activities and Claim back User Privacy — Tuesday 11 October 2011 @ 5:32

  17. […] of the tools available for this is called UserAssist, which need not be installed on the computer. After downloading and running, you can display more […]

    Pingback by 5 Ways to Track Windows Hidden Activities and Claim back User Privacy « ADITYACE — Tuesday 18 October 2011 @ 14:11

  18. […] Hope you found this interesting. You can download the latest version of UserAssist from here […]

    Pingback by Windows 7 – MFU (Most Frequent Used Programs) « Anything about IT — Saturday 22 October 2011 @ 0:21

  19. […] çalıştırarak bu listeye ulaşmanız mümkündür. Aracın XP/Vista sürümünü bu adresten, Windows 7 sürümünü ise bu adresten […]

    Pingback by Windows’un sizi izlemekte kullandığı 5 yol! | Haber – Mekanı — Tuesday 15 November 2011 @ 16:38

  20. […] sürümünü bu adresten, Windows 7 sürümünü ise bu adresten […]

    Pingback by Windows’un sizi izlemekte kullandığı 5 yol! | rusensahin.com — Tuesday 14 February 2012 @ 10:04

  21. Hi Mark, your code does not work for {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\HP\Digital Imaging\{68550918-63B5-4762-85CB-3C160AA4B213}\setup\hpzscr01.exe while converting to actual path. I modified the code a bit but if(SHGetKnownFolderPath(myguid, 0, IntPtr.Zero, out pPath) == 0) is always FALSE for the second Guid that is {68550918-63B5-4762-85CB-3C160AA4B213}

    Comment by Somnath — Wednesday 31 October 2012 @ 12:29

  22. Hi Mark & Stevens, your code does not work for {7C5A40EF-A0FB-4BFC-874A-C0F2E0B9FA8E}\HP\Digital Imaging\{68550918-63B5-4762-85CB-3C160AA4B213}\setup\hpzscr01.exe while converting to actual path. I modified the code a bit but if(SHGetKnownFolderPath(myguid, 0, IntPtr.Zero, out pPath) == 0) is always FALSE for the second Guid that is {68550918-63B5-4762-85CB-3C160AA4B213} . How to get actual path in this case?

    Comment by somnathz — Wednesday 31 October 2012 @ 12:31

  23. I’m finding a good use case where I’d like to see the registry entry name along with the decrypted information. I need to delete a specific entry from all users on a terminal server. I would dig into the source if it was available and see if I can get that information to display. Perhaps I’ll check out the article Mark H. referenced above and see what I can do.

    Thanks for this!

    Comment by Joe Dunnigan — Friday 25 January 2013 @ 18:16

  24. @Joe The latest version with source code is here: http://blog.didierstevens.com/2012/07/19/userassist-windows-2000-thru-windows-8/

    Comment by Didier Stevens — Tuesday 29 January 2013 @ 9:07


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 239 other followers

%d bloggers like this: