In search of a new trick for that Windows 7 Launch Party you’re invited to? 
Here’s one:
You can download a beta version of my UserAssist tool here. Soon I’ll be posting a final version with details and source code.
Wednesday 21 October 2009
A Windows 7 Launch Party Trick!
7 Comments »
RSS feed for comments on this post. TrackBack URI
Hello,
This is a nice tool upgrade. Anyway, if the user is being hack and the hacker is exploring the windows explorer of the target, can it be detected that another user is using it so when it comes to investigation at least we can somehow separate a legitimate action from the legitimate user?
Comment by Yaggi — Friday 6 November 2009 @ 3:48
If it’s done with the same user account, no.
Comment by Didier Stevens — Friday 6 November 2009 @ 14:28
Thanks Didier for the clarification. Is this idea an opportunity for this tool to evolved and can be used for forensic evidence (one way of identfyig it would be abnormal operation of a certain account that can be flag by this tool)?
I understand its a long way to go but Im excited that this tool would grow for the IT community forensic tool.
Comment by Yaggi — Saturday 7 November 2009 @ 2:36
[...] forget to use the special version of my UserAssist tool on Windows 7 and Windows Server 2008 R2. Possibly related posts: (automatically generated) Leave [...]
Pingback by New Format for UserAssist Registry Keys « Didier Stevens — Monday 4 January 2010 @ 15:30
Hy there! First off: thanks for your great work & effort! Very nice and helpful forensic tool.
Have to point something out:
Perhaps you can give explanations for the different counters: that the “Counter” table lists the number of times the application was launched in this Windows session (= since the last reboot) and the “Focus counter” table lists the overall application startups (= since the first Windows boot after install).
Am I right with these assumption?
Thanks in advance.
Comment by Napo — Sunday 14 February 2010 @ 16:55
@Napo: it’s slightly different. I’ve written an article that explains this in detail: http://blog.didierstevens.com/2010/01/04/new-format-for-userassist-registry-keys/
Comment by Didier Stevens — Sunday 14 February 2010 @ 17:04
Hey there,
I’m writing to inquire as to the availability of the source code of your new UserAssist tool. I’m currently working on a project deploying Windows 7 and I’ve been tasked with prepopulating the MFU list on the start menu and before finding this site had almost completely decyphered the new format, but I’m against a wall here and just need a piece or two to knock this thing out. Is there any chance this code will be available soon? or I could get the parsing/setting function for the new format?
Comment by Micah Rowland — Thursday 1 April 2010 @ 2:52