Comments on: A Windows 7 Launch Party Trick!

By: Didier Stevens

Didier Stevens — Sun, 14 Feb 2010 17:04:04 +0000

@Napo: it’s slightly different. I’ve written an article that explains this in detail: http://blog.didierstevens.com/2010/01/04/new-format-for-userassist-registry-keys/

By: Napo

Napo — Sun, 14 Feb 2010 16:55:55 +0000

Hy there! First off: thanks for your great work & effort! Very nice and helpful forensic tool.
Have to point something out:

Perhaps you can give explanations for the different counters: that the “Counter” table lists the number of times the application was launched in this Windows session (= since the last reboot) and the “Focus counter” table lists the overall application startups (= since the first Windows boot after install).

Am I right with these assumption?
Thanks in advance.

By: New Format for UserAssist Registry Keys « Didier Stevens

New Format for UserAssist Registry Keys « Didier Stevens — Mon, 04 Jan 2010 15:30:06 +0000

[...] forget to use the special version of my UserAssist tool on Windows 7 and Windows Server 2008 R2. Possibly related posts: (automatically generated) Leave [...]

By: Yaggi

Yaggi — Sat, 07 Nov 2009 02:36:26 +0000

Thanks Didier for the clarification. Is this idea an opportunity for this tool to evolved and can be used for forensic evidence (one way of identfyig it would be abnormal operation of a certain account that can be flag by this tool)?

I understand its a long way to go but Im excited that this tool would grow for the IT community forensic tool.

By: Didier Stevens

Didier Stevens — Fri, 06 Nov 2009 14:28:04 +0000

If it’s done with the same user account, no.

By: Yaggi

Yaggi — Fri, 06 Nov 2009 03:48:45 +0000

Hello,

This is a nice tool upgrade. Anyway, if the user is being hack and the hacker is exploring the windows explorer of the target, can it be detected that another user is using it so when it comes to investigation at least we can somehow separate a legitimate action from the legitimate user?