Didier Stevens

Thursday 19 July 2012

UserAssist Windows 2000 Thru Windows 8

Filed under: Forensics,My Software,Update — Didier Stevens @ 13:26

I finally took the time to merge UserAssist version 2.4.3 and UserAssist version 2.5.0 (Windows 7) into UserAssist version 2.6.0.

Thus version 2.6.0 supports all versions of Windows starting with Windows 2000 up to Windows 8. Support for Windows 8 is experimental.

UserAssist_V2_6_0.zip (https)
MD5: 04107FE15FC676B7A701760C9C6D2F81
SHA256: F6F73F4E00905A7727ED4136DE875DD1FBCF4B90FFEE4B93D4A46E58C0314D45

9 Comments »

  1. Excellent work, Didier. Just a couple of Q’s. I apologize if they have previously been answered…
    1) A lot of entries in my results show a counter of ’0′. My understanding is that if a program appears in UserAssist, it was run at least once. If this is correct, then how come the counter value shows 0 for a lot of entries?
    2) How far back does the counter go? Is it counting from a set period or from ever since?
    Thanks a lot… Sush

    Comment by Sush — Saturday 25 August 2012 @ 1:28

  2. @Sush What version of Windows do you use?

    Comment by Didier Stevens — Saturday 25 August 2012 @ 8:44

  3. Didier, I too appreciate the hard work you’ve done for us! I have used this program with success in the past but have since upgrade my system. I can no longer get the Load from DAT file feature to work, I understand it is experimental (as it states) but it used to work. I’m running User Assist on Windows 7 Ultimate 64. The NTUSER.DAT file I am trying to open is from a XP box. I get the error, File doesn’t contain user assist data. I’ve tried running your program on a XP box in my shop with the same results. It loads the local machines user assist data just fine, but not the DAT file. The DAT file does contain the user assist data, and I like the way your program presents the data. Is there something I can try to make this work?

    Comment by John — Thursday 13 September 2012 @ 17:10

  4. @John I’ll have a look John.

    Comment by Didier Stevens — Friday 14 September 2012 @ 14:27

  5. Didier, Thanks for this great tool. Is there still a BartPE version?

    Comment by Anonymous — Wednesday 7 November 2012 @ 19:35

  6. @Anonymous I’ve not updated that yet.

    Comment by Didier Stevens — Thursday 8 November 2012 @ 22:01

  7. Hi didier, firstly thank you for your good work and I want to suggest a new feature that I need to add to code after downloading source code. I need to know the exe hostory of a different user. So I change the registery code from current user to another user. It may be a parameter that can be given by user. Really happy to use this app.

    Comment by Burcu Co — Saturday 1 December 2012 @ 12:47

  8. @Burcu Co The feature you ask for is already present in UserAssist: Load from DAT file.

    Comment by Didier Stevens — Sunday 2 December 2012 @ 11:03

  9. How has MFU changed in Windows 7/8? It seems to maintain separate EXE and LNK data?

    Comment by xpclient — Wednesday 2 January 2013 @ 16:13


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

Theme: Rubric. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 153 other followers

%d bloggers like this: