Didier Stevens

Thursday 19 July 2012

UserAssist Windows 2000 Thru Windows 8

Filed under: Forensics,My Software,Update — Didier Stevens @ 13:26

I finally took the time to merge UserAssist version 2.4.3 and UserAssist version 2.5.0 (Windows 7) into UserAssist version 2.6.0.

Thus version 2.6.0 supports all versions of Windows starting with Windows 2000 up to Windows 8. Support for Windows 8 is experimental.

UserAssist_V2_6_0.zip (https)
MD5: 04107FE15FC676B7A701760C9C6D2F81
SHA256: F6F73F4E00905A7727ED4136DE875DD1FBCF4B90FFEE4B93D4A46E58C0314D45

17 Comments »

  1. Excellent work, Didier. Just a couple of Q’s. I apologize if they have previously been answered…
    1) A lot of entries in my results show a counter of ‘0’. My understanding is that if a program appears in UserAssist, it was run at least once. If this is correct, then how come the counter value shows 0 for a lot of entries?
    2) How far back does the counter go? Is it counting from a set period or from ever since?
    Thanks a lot… Sush

    Comment by Sush — Saturday 25 August 2012 @ 1:28

  2. @Sush What version of Windows do you use?

    Comment by Didier Stevens — Saturday 25 August 2012 @ 8:44

  3. Didier, I too appreciate the hard work you’ve done for us! I have used this program with success in the past but have since upgrade my system. I can no longer get the Load from DAT file feature to work, I understand it is experimental (as it states) but it used to work. I’m running User Assist on Windows 7 Ultimate 64. The NTUSER.DAT file I am trying to open is from a XP box. I get the error, File doesn’t contain user assist data. I’ve tried running your program on a XP box in my shop with the same results. It loads the local machines user assist data just fine, but not the DAT file. The DAT file does contain the user assist data, and I like the way your program presents the data. Is there something I can try to make this work?

    Comment by John — Thursday 13 September 2012 @ 17:10

  4. @John I’ll have a look John.

    Comment by Didier Stevens — Friday 14 September 2012 @ 14:27

  5. Didier, Thanks for this great tool. Is there still a BartPE version?

    Comment by Anonymous — Wednesday 7 November 2012 @ 19:35

  6. @Anonymous I’ve not updated that yet.

    Comment by Didier Stevens — Thursday 8 November 2012 @ 22:01

  7. Hi didier, firstly thank you for your good work and I want to suggest a new feature that I need to add to code after downloading source code. I need to know the exe hostory of a different user. So I change the registery code from current user to another user. It may be a parameter that can be given by user. Really happy to use this app.

    Comment by Burcu Co — Saturday 1 December 2012 @ 12:47

  8. @Burcu Co The feature you ask for is already present in UserAssist: Load from DAT file.

    Comment by Didier Stevens — Sunday 2 December 2012 @ 11:03

  9. How has MFU changed in Windows 7/8? It seems to maintain separate EXE and LNK data?

    Comment by xpclient — Wednesday 2 January 2013 @ 16:13

  10. There are 72 bytes information, but display only 24 bytes. What about other bytes? What are they meaning?

    Comment by Logioniz — Friday 28 June 2013 @ 7:18

  11. hello

    can i use your software : userassist with command line in order to start this software on each computer of my network
    i would like to known how many time a software is used on a network

    regards

    Comment by alex — Thursday 31 October 2013 @ 13:33

  12. @alex Sorry, my program takes no argument, but tale a look at regripper.

    Comment by Didier Stevens — Wednesday 6 November 2013 @ 15:40

  13. Hi Didier,
    SuperAwesomeTool. I’m making a tool which fetches the last 20 used programs using AutoIT language. The question is how to fetch the date of respective programs like “Last” column in your program. Your ideas and help highly appreciable.
    Thanks

    Comment by Dinesh — Saturday 28 December 2013 @ 17:49

  14. @Dinesh I wrote an article on these keys for Into The Boxes magazine. It’s explained in there.

    Comment by Didier Stevens — Sunday 29 December 2013 @ 21:45

  15. Hi Didier, i am a novice and would like to start using userassist in order to learn to monitor who is accessing the computer and to do what. We have a windows 8.1 system and was wandering if you have a quick guide to userassist and to understanding forensic. thanks. Alberto

    Comment by ala — Sunday 2 November 2014 @ 11:40

  16. Yes, read my blogposts and page on UserAssist.

    Comment by Didier Stevens — Sunday 2 November 2014 @ 11:59

  17. HI
    Any way to match the name from userassist with the actual name of a installed programs? Like the start menu does?

    Comment by Andrei — Friday 12 May 2017 @ 15:12


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.