The UserAssist utility displays a table of programs executed on a Windows machine, complete with running count and last execution date and time.
Windows Explorer maintains this information in the UserAssist registry entries. My program allows you to display and manipulate these entries.
I posted my program (source code and binaries) here. Download the ZIP file, you’ll have to extract UserAssist\UserAssist\bin\Release\UserAssist.exe to get my program. There is no setup, it’s just one executable. You’ll need the .NET Framework 2.0 runtime to run my program (download it only if you have a problem running my program, if you have an up-to-date version of Windows XP, the .NET 2.0 Framework will already be installed).
I also maintain a Windows Live CD plugin for my UserAssist utility.
Program features and operation is described in the About box:
The program UserAssist displays a list of the programs run by a user on Windows.
Windows Explorer displays frequently used programs on the left side of the standard XP Start menu.
The data about frequently used programs is kept in the registry under this key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
This program decrypts and displays the data found in the registry under the UserAssist key.
When started, the program retrieves the data for the current user and displays it.
The display is not refreshed automatically when Windows Explorer updates the registry entries.
To refresh the display, execute the 'Load from local registry' command.
Columns in the listview:
Key:
this value is {5E6AB780-7743-11CF-A12B-00AA004AE837} or {75048700-EF1F-11D0-9888-006097DEACF9}
those are the keys found under the UserAssist key, and are included in the list view to distinguish the entries.
Index:
a running counter, indicating the sequence of values in the registry
At first, the entries are listed in the sequence they appear in the registry. You can sort columns by clicking on the header.
To revert to the original sequence, sort the column Index and then the column Key
Name:
The name of the value registry entry. This references the program that was run. This key is ROT13 encrypted, the displayed name is decrypted.
There is a registry setting to prevent encryption of the log, but this program does not support this setting.
Unknown:
a 4 byte integer, meaning unknown. It appears to be present only for session entries (UEME_CTLSESSION).
Session:
This is the ID of the session (a 4 byte integer).
Counter:
This is the number of times the program was ran (a 4 byte integer).
Last:
This is the last time the program was ran (a 8 byte datetime).
The value is displayed with the timezone of the machine running this UserAssist tool.
Watch out for time zone differences when importing a REG file from a system with different regional settings.
Last UTC:
This is the last time the program was ran (a 8 byte datetime) in UTC.
Commands:
'Load from local registry'
Displays the data for the current user.
'Load from REG file'
Loads a REG file and imports the UserAssist key.
This command doesn't check the full path of the UserAssist key, thus allowing the analysis of NTUSER.DAT hives loaded and exported with another path.
Use this command if you cannot run the program on the machine you want to analyze.
Loading the data from a REG file disables editing commands.
'Load from DAT file'
Loads a registry hive file (a DAT file like NTUSER.DAT) and imports the UserAssist key.
The DAT file is temporarily loaded in the registry under the USERSLoadedHive key. Be sure to have the local admin rights to access the file and load it.
Use this command if you cannot run the program on the machine you want to analyze.
Loading the data from a DAT file disables editing commands.
'Highlight'
Allows you to type in a search string (a regular expression is accepted), each entry matching this string will be highlighted in red.
The highlighting stays active during reloads. Type an empty string to disable the highlighting.
'Save'
This saves the data as a CSV file or a HTML file (choose file type).
'Clear All'
This deletes the {5E6AB780-7743-11CF-A12B-00AA004AE837} and {75048700-EF1F-11D0-9888-006097DEACF9} keys.
All data is lost, and no new data is recorded until Windows Explorer is restarted.
This will impact the frequently run program list on your Start Menu, and maybe other things. I had no other side-effects on my test machines.
This command is disabled when a REG file is loaded.
'Logging Disabled'
Enabling the 'Logging Disabled' toggle allows you to permanently disable the logging of user activity in the UserAssist keys by creating a value
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistSettingsNoLog equal to 1.
Disabling the 'Logging Disabled' removes the NoLog value (apparently, setting it to 0 doesn't prevent logging).
This setting is only effective after Windows Explorer is restarted.
This command is disabled when a REG file is loaded.
Right-clicking an entry will display a menu:
'Clear' will delete the selected entries. The index field of the remaining entries is not changed, they only change after reloading the registry.
This command is disabled when a REG file is loaded.
'Explain' will analyse the contents of the name field and try to explain its meaning (based on empirical data).
This program has been tested on Windows XP SP1, SP2, Windows 2003 and Windows Vista.
Microsoft doesn't publish official documentation for UserAssist data. I've found info on the WWW (google for UserAssist) and I discovered the meaning of the binary data through trial-end-error testing. In other words: use this program at your own risk. Ways to restart Windows Explorer: 1) Task Manager: kill the explorer.exe process and start a New Task explorer.exe 2) logoff / logon 3) reboot
Download:
UserAssist_V2_6_0.zip (https)
MD5: 04107FE15FC676B7A701760C9C6D2F81
SHA256: F6F73F4E00905A7727ED4136DE875DD1FBCF4B90FFEE4B93D4A46E58C0314D45
Didier Stevens 
[…] I’ve published a BartPE plugin for my UserAssist utility, you can download it here (https, MD5 D43E519B7BCE90F31EB54884E7AA75C1). And I’m posting another movie. Windows Live CDs are a popular troubleshooting and forensic investigation tool, they allow you to boot a (Windows) PC from a CD. Bart Lagerweij developed BartPE, a tool to create a Windows Live CD (a Windows “pre-install” environment CD), and several people build their own tools based on his work. The Ultimate Boot CD for Windows is based on BartPE. […]
Pingback by A Windows Live CD plugin for my UserAssist utility « Didier Stevens — Monday 18 September 2006 @ 15:24
Nice tool! Questions: I’m not at a programmer. To run the application, do I need only the Bin folder and its contents? Can I delete the Obj and Properties folders? One suggestion is that perhaps you can consider adding a search feature. Thanks!
Jimmy Weg, CFCE
Agent in Charge, Computer Crime Unit
Montana Division of Criminal Investigation
303 N. Roberts, Room 371
Helena, MT 59620
406.444.6681
406.439.6185 (cell)
jweg@mt.gov
Comment by Jimmy Weg — Monday 30 October 2006 @ 22:02
1) you only need UserAssist.exe in folder UserAssist\bin\Release, and you can put it anywhere, e.g. on your desktop.
2) yes, you can delete everything, except UserAssist.exe
3) I’ll probably have a search function in a new version, but for now, you can use the Save function. It creates a CSV file. You can read it with Excel or notepad, and use their search function
Comment by Didier Stevens — Monday 30 October 2006 @ 22:14
[…] XP saves the full path and name of the program, last access and the number of total executions. UserAssist is a nice little tool that decrypts the information and displays them it its main window. You can […]
Pingback by Windows stores information about the programs that you use » gHacks tech news — Monday 22 January 2007 @ 12:50
Great tool ! Thanks for sharing it with the community !
Comment by Wag — Tuesday 23 January 2007 @ 11:03
Very nice tool! Thanks for sharing. It’s nice to have a tool that automatically de-ROTs the values instead of having to run them through another script.
Comment by Michael H — Wednesday 24 January 2007 @ 0:40
[…] Filed under: My Software — Didier Stevens @ 11:30 My article about my UserAssist forensic tool has been published in the February 2007 issue of (IN)SECURE Magazine […]
Pingback by UserAssist article published in (IN)SECURE Magazine « Didier Stevens — Thursday 15 February 2007 @ 11:30
Bad idea!
This key and the meanings of its parameters was known by me from 2004, but I published my investigation only for restricted access (only for law enforcement agencies). I consider information about the UserAssist key very important for computer crimes’ criminalistic expertises. I can’t understand reasons for your publication. This key was a helpful tool for criminalists, and you broke it. Why? The key wasn’t dangerous for ordinary users. Now, any computer criminal can read your article, use your utility and hide own unlawful engagement. You are an IT Security Consultant! Are you really think your article is so nessessary? I am very disappointed by your publication.
PS.Some years ago Mr. Khizhniak, my compatriot :(((, wrote the book about creating of computer viruses (Part I) and antiviruses (Part II). As result a lot of “Khizhniak-based” viruses was created by so-called “hackers” which indeed couldn’t develop any simplest virus singly without the book. None of antiviruses was created. Do you like similar results? After publishing your article will help only computer criminals and create problems for specialists.
Yours sincerely,
Ponomaryoff Maxim E.,
Information Security Consultant. Yekaterinburg. Russia.
Comment by Ponomaryoff Maxim E. — Friday 16 March 2007 @ 10:34
> I consider information about the UserAssist key very important for computer crimes’ criminalistic expertises.
It is, and that’s why I published it. Read the comment by Jimmy Weg, Agent in Charge, Computer Crime Unit, Montana Division of Criminal Investigation. He did not know about this technique prior to using my program.
The information is on the web since October 2003 at least, read here: http://www.personal-computer-tutor.com/abc3/v29/vic29.htm
Associating me with virus writes is a blow below the belt, it’s like a tactic used by corrupt politicians & consorts.
Comment by Didier Stevens — Sunday 18 March 2007 @ 14:17
Excuse me, if my words offended you. I present you my open-hearted apologies. I didn’t assosiate you with virus writes, moreover I was sure you was leaded by good wishes, but ones could bring to bad results (my example was written only for this aim). I’d read the comment by Jimmy Weg, and I’m glad for him. But soon criminals will clear the UserAssist key with your fine (indeed) utility. What will Mr. Weg do in this case?
As before I consider this information had to be published only for restricted access (only for Mr. Weg and his colleagues).
I don’t pretend to any priority. I descovered the UserAssist key singly, and didn’t know about other publications. Thanks for the link, and sorry for my English.
Yours sincerely,
Ponomaryoff Maxim E.
Comment by Ponomaryoff Maxim E. — Monday 19 March 2007 @ 10:49
> I present you my open-hearted apologies.
Apologies accepted! As a non-native English speaker, I also know how sometimes your words can be misunderstood.
I wonder how you bring evidence, based on the UserAssist keys, into court? If you keep the technique secret, has the defense no right to examine your evidence? Does the judge accept the data?
Comment by Didier Stevens — Monday 19 March 2007 @ 17:31
[…] Read more… Tags: binary data, didier, encrypted, ive, registry keys, rot13, Spyware, stead, timestamp, treeview, utility windows, windows explorer Posted on Tuesday, March 27th, 2007 at 6:08 pm and under category News. You can read any responses through the RSS 2.0 feed. You can give a response, or trackback from your site. « IE lets attackers hijack network traffic Tools – Fuzzled – a Perl Based Fuzzer » […]
Pingback by Internet Security and Programming » Blog Archive » Didier Stevens - UserAssist utility — Tuesday 27 March 2007 @ 11:09
On XP SP2 I keep getting “The application failed to initialize properly (0xc0000135).” What am I missing?
Thanks!
Comment by Hank — Thursday 5 April 2007 @ 5:29
Did you install the .NET framework?
http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en
Comment by Didier Stevens — Thursday 5 April 2007 @ 6:52
Dear Didier Stevens!
I imagine the answer to your question approximately as follow…
Our national justice has some differences from European or American one.
So when a government investigator needs in special knowledges, he can appoint an expertise (ballistic, graphologic, computer, etc.) He forms a list of questions to the expert. The expert gives a precise answers as far as possible, and writes the expert’s report. After when the prosecution presents the expert’s conclusion to the court, all employed techniques must be described and be based on some official documents or be validated by an experiments. In our case because Microsoft hasn’t still published the official information about the UserAssist key, I’ll have to describe my experiments to prove truth of my resumes. But the expert’s conclusion also can be used in non-judicial practice (by special officers or special agents. Mostly I cooperate with them but I’m not able to find more correct english term to name them.) In that case I am allowed to describe nothing from my techniques.
PS. I have a small remark to your utility. You use the last time the program was ran in local time mode, and warn about possible differences. I added to your code a new column (Last UTC) because the FILETIME structure kept time exactly in this mode (as you know). When an expert examines a REG-file from another computer, this modification can be very helpful.
PPS. On my XP SP2 your utility works correctly. My version too =)
Yours sincerely,
Ponomaryoff Maxim E.
Comment by Ponomaryoff Maxim E. — Friday 27 April 2007 @ 5:51
Thanks for your answer Maxim. Excellent idea to add an UTC column, thanks for the suggestion!
Comment by Didier Stevens — Tuesday 1 May 2007 @ 18:34
Great tool! One question… I am curious about the “Counter” field indicating how many times a resource was run. How did you determine that the 4 bytes you use for this are counts? I have been forever looking for a resource that documents this part of the UserAssist keys…
Thanks JS
Comment by JS — Friday 1 June 2007 @ 18:24
It’s explained in an older post: https://didierstevens.wordpress.com/2006/07/24/rot13-is-used-in-windows-you%e2%80%99re-joking/
And also in my article in (IN)SECURE Magazine issue 10: http://www.net-security.org/dl/insecure/INSECURE-Mag-10.pdf
Comment by Didier Stevens — Wednesday 6 June 2007 @ 16:51
[…] @ 6:29 I was a speaker at the local ISSA chapter last Monday. My talk explained how to use my UserAssist tool for forensic analysis. The audience had great questions for me at the Q&A, some of which I want […]
Pingback by UserAssist Q&A « Didier Stevens — Wednesday 20 June 2007 @ 6:29
Good application. Just wondering if there would be a simple way to save the report in html, and as Jimmy said, a search feature would be great. Thanks
Chad
Comment by Chad Gish — Thursday 28 June 2007 @ 22:56
Can you suggest a tool to convert NTUSER.DAT files from a user profile to .REG files so that they can be viewed using your tool?
I have tried Registry File Viewer which will export to REGEDIT4 format, but your UserAssist utility says that the file doesn’t contain UserAssist data.
Comment by Sean McLinden — Thursday 5 July 2007 @ 19:23
You can use Regedit. I show it in the movie of this post: https://didierstevens.wordpress.com/2006/09/18/a-windows-live-cd-plugin-for-my-userassist-utility/
And I also explain it in my (IN)SECURE Magazine Issue 10 article (page 72): http://www.net-security.org/dl/insecure/INSECURE-Mag-10.pdf
Comment by Didier Stevens — Thursday 5 July 2007 @ 19:37
@Chad
I’m preparing a new version, HTML export can be included, but I don’t know if I want to spend the time programming search. Actually, it’s not the Find function that is complex, but the Find Next function.
Comment by Didier Stevens — Thursday 5 July 2007 @ 19:46
I was hoping to avoid using something like UBCD4WIN just because I’ll have to make another restore from Encase. But if that is the only way, I guess I’ll do it that way.
Importing into a live Windows using Regedit overwrites the existing settings. Bad thing to do with an investigator laptop.
Thanks.
Comment by Sean McLinden — Thursday 5 July 2007 @ 20:16
You don’t need a live CD, read my article, you can work with a copy of
NTUSER.DAT and load the hive. This does not overwrite your settings.
Comment by Didier Stevens — Thursday 5 July 2007 @ 20:23
Thanks, that did it.
Comment by Sean McLinden — Thursday 5 July 2007 @ 20:49
Is there a commandline version that can be run and dump the output to a txt or cvs or html report?
Comment by Brian — Monday 16 July 2007 @ 16:40
[…] Engineering, My Software — Didier Stevens @ 6:05 I’m releasing version 2.3.0 of my UserAssist tool with these new […]
Pingback by UserAssist V2.3.0 « Didier Stevens — Tuesday 17 July 2007 @ 6:05
[…] Stevens has released the latest iteration of his incredibly handy tool UserAssist. This tool, in a nutshell, displays a table of all of the programs executed on a windows machine. […]
Pingback by Liquidmatrix Security Digest » Stevens Releases UserAssist V2.3 — Tuesday 17 July 2007 @ 12:14
@Brian
I’ll see if I can add command-line support.
Comment by Didier Stevens — Tuesday 17 July 2007 @ 13:15
[…] My Software — Didier Stevens @ 8:11 My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent But I’m not French, I’m […]
Pingback by CyberSpeak interview « Didier Stevens — Monday 23 July 2007 @ 8:12
Didier,
Great tool … thanks.
Is it possible to get an explanation of the keys that are referenced in the output. I think that the list of possible keys that occur are:
UEME_RUNPIDL:
UEME_RUNPATH:
UEME_CTLSESSION
UEME_CTLCUACount:
UEME_UISCUT:
UEME_UIQCUT:
UEME_UIHOTKEY:
UEME_RUNWMCMD:
UEME_RUNCPL:
UEME_UITOOLBAR:
I am attempting to use the data from a suspect’s imaged hard drive to show that the majority of his time on the computer was spent playing games and on the net. The data shows that there is many uses of Freecell and Hearts but there are even more occurrences of UEME_UIQCUT, UEME_RUNPATH, and UEME_RUNPIDL. What are these keys?
Comment by Mark Hallman — Friday 24 August 2007 @ 19:44
Be aware that the UserAssist entries only list how often a program has
been started by a user and when it what last started. So it’s not the
tool to assess how *long* programs were running.
UEME_UIQCUT
Applications launched from the quick launchbar are logged under the
entry UEME_UIQCUT. There is no separate entry with the name or path of
the launched application. I think the logic behind this is the
following: the UserAssist entries are maintained by Windows Explorer
to display the most frequently run applications on the start menu.
Applications launched from the quick launchbar have already their
“special” place on the GUI Windows, so there’s no need to keep stats
about their usage.
UEME_RUNPATH
This is logged each time a program is started, look at the path to see
which program. When a program is started by double-clicking it in
Windows Explorer or by typing its name in the Run command, RUNPATH
entries are created/updated but no UEME_RUNPATH entries are.
A PIDL is a Pointer to an ID List. Every item in Explorer’s namespace,
whether it’s a file, directory, Control Panel applet, or an object
exposed by an extension, can be uniquely specified by its PIDL. If the
UEME_RUNPIDL values starts with %csidl2%, then it refers to the start
menu. Notice that most UEME_RUNPIDL values are names of folders in the
start menu of shortcuts in the start menu (.lnk)
If you’re a programmer, an PIDL is Pointer to IDL, and IDL is short
for ITEMIDLIST (http://msdn2.microsoft.com/en-us/library/ms538107.aspx).
Remember that we’re talking about Windows Explorer here, aka the
shell, and a PIDL and ITEMIDLIST are shell structures used by
programmers.
You can find more information here:
http://sistersincrime.toronto.on.ca/internetspysoftware.php
Comment by Didier Stevens — Saturday 25 August 2007 @ 10:05
[…] a key named Settings and under this new key create a DWORD value named NoLog with value 1. My UserAssist tool has a menu toggle (Logging disabled) to do this […]
Pingback by Disabling UserAssist Logging for Windows Vista « Didier Stevens — Saturday 8 September 2007 @ 20:14
[…] programmino, che richiede il .NET Framework è scaricabile qui con i sorgenti. E’ anche disponibile un plugin per BartPE […]
Pingback by UserAssist: what is this? « Fare, disfare e rifare — Thursday 20 September 2007 @ 7:13
This functionality is available from within Access Data’s program for reading the registry.
Comment by Anonymous — Thursday 11 October 2007 @ 20:40
And it’s also free and open source?
Comment by Didier Stevens — Thursday 11 October 2007 @ 21:07
[…] Forensics, My Software — Didier Stevens @ 6:36 The most important feature of this new UserAssist version is the explain command. Now you can right-click an entry, select explain and get a nice explanation […]
Pingback by UserAssist V2.4.1 « Didier Stevens — Tuesday 16 October 2007 @ 6:36
Great tool. Is there a way to connect to a remote registry?
Comment by John — Tuesday 30 October 2007 @ 13:07
I didn’t program that feature, but I’ll add it to my todo list.
However, you can connect to the registry of a remote machine with regedit. Export the UserAssist keys and load the exported file in my tool.
Harlan Carvey has scripts that work remotely, but I don’t believe his scripts for the UserAssist keys work remotely. They operate on the hive file. His tools are included with his book http://www.syngress.com/catalog/?pid=4230.
Comment by Didier Stevens — Wednesday 31 October 2007 @ 19:46
[…] UserAssist – Una herramienta relativamente poco conocida de Didier Stevens que nos saca una lista de los programas que se han ejecutado, cuándo, y cuántas veces. […]
Pingback by alfredo reino » Archivo del Blog » Herramientas útiles — Friday 16 November 2007 @ 10:46
[…] under: Forensics, My Software, Update — Didier Stevens @ 9:29 Just a small change in this new version: now you can disable the automatic loading of the local registry data when the UserAssist tool is […]
Pingback by Update: UserAssist V2.4.2 « Didier Stevens — Monday 26 November 2007 @ 9:29
[…] like the UserAssist entries for Windows Server 2008 have the same format as for Windows Vista, my UserAssist tool can also extract the data from Windows Server […]
Pingback by Quickpost: Windows Server 2008 UserAssist Keys « Didier Stevens — Friday 11 January 2008 @ 18:37
[…] From now on, I’ll update it each time I release a new version of my UserAssist utility. […]
Pingback by Update: A Windows Live CD plugin for my UserAssist utility « Didier Stevens — Monday 28 January 2008 @ 8:17
Hi Didier,
Can you please explain why I would receive a counter of zero? All my results for PIDL %csid16% came back with a counter of zero.
Great tool by the way!
Thanks in advance,
Jenny
Comment by Jenny — Thursday 7 February 2008 @ 21:15
A counter equal to 0 indicates that the user right-clicked on the item in the start-menu and selected the command to remove the item from the list.
Comment by Didier Stevens — Thursday 7 February 2008 @ 21:34
[…] many values include FILETIME objects embedded within their binary data. For example, beneath the UserAssist keys, many of the values found within the Count subkey have 16 bytes of binary data associated with […]
Pingback by Log Analysis Professionals » Blog Archive » The Windows Registry as a Log File — Tuesday 8 April 2008 @ 11:33
Didier. Thanks for the great tools. On UserAssist, (I am not a computer pro – just a power user), the output is generally a history report…yes? Therfore, all entries accessible by a right click can be safely deleted (clear tracks)…yes? Then, recycle bin shredding and overwrite will remove final traces, correct? Thx!
Comment by Bruce Ades — Wednesday 14 May 2008 @ 11:18
The UserAssist keys contain historical data.
When you use my UserAssist tool to delete entries, it will actually delete registry keys. Deleted registry keys are not moved to the recycle bin, so there is no need to empty the recycle been.
However, I suspect that deleted registry entries are still present in the registry hive files (like NTUSER.DAT), until their space is reused. Registry compacting should take care of this.
Comment by Didier Stevens — Friday 16 May 2008 @ 16:28
Hi,
program looks great but does not run on Windows 2000. It starts without opening a window and keeps the cpu goin’ on 100%. When opening using a shortcut and setting the window maximized it opens but does not show data or menu text. Also 100% cpu until I terminate the program.
Dot.Net2 SP1 installed. Hope you can tweak the program to let it run on W2K.
In the registry the keys look the same as described everywhere on the ‘net.
Comment by Hans — Saturday 31 May 2008 @ 22:34
I’ve used it in the past on W2K, it works. I believe that you’ve so much entries in the UserAssist keys, that it takes a long time for my utility to analyze them all and display the result. Let the program run for some time and see what happens.
Comment by Didier Stevens — Sunday 1 June 2008 @ 9:15
Thanks very much for sharing your powerful and handy tool.
Question 1:
What causes the counter to have a negative value?
Question 2:
What causes the counter to have “Removed from list” instead of a number?
I’ve been using this tool for some time, but today I have encountered above
cases for the first time.
Comment by Nobuyuki Hirato — Monday 4 August 2008 @ 9:01
In fact, the counters are stored inside the binary registry data with an offset of 5. So if a program has been executed exactly once, the counter stored inside the binary registry data is equal to 6, and my UserAssist utility will subtract 5 and display 1. I believe that this +5 offset is a classic programming trick used by the MS programmers to be able to store special values in the same binary format.
One special value I’ve identified is 0: this indicates that the program is never to appear in the start menu in the most executed programs list. A user can decide to remove a program from the start menu list by right-clicking the entry and selecting “Remove from this list in de context menu. Internally, this action assigns a value of 0 to the counter. I’ve programmed UserAssist to display “Removed from list” in the counter column.
Negative values in the counter column are special values that I’ve not yet identified. I’ve had reports of installation programs creating userassist registry entries with values 1 or 2, but I don’t know what this implies.
Can you share which programs you’ve found with ‘negative counter values’?
Comment by Didier Stevens — Monday 4 August 2008 @ 17:11
Thanks for quick reply.
> Can you share which programs you’ve found with ‘negative
> counter values’?
Yes.
This time I’ve encountered two .url files under UEME_RUNPIDL:%csidl6%\, both indicated with values of -3.
> Internally, this action assigns a value of 0 to the
> counter. I’ve programmed UserAssist to display “Removed
> from list” in the counter column.
Does it mean all 0’s in the counter column should be
replaced with “Removed from list”?
I see a lot of entries with counter 0, apart from ones with “Removed from list”. Again, predominantly UEME_RUNPIDL:%csidl6%\??????.url ones.
Comment by Nobuyuki Hirato — Tuesday 5 August 2008 @ 3:56
No, a 0 counter in the Counter column of the UserAssist utility means again that this is a special value, but its meaning is unknown.
csidl6 is the special directory with the user’s favorites.
Is the last timestamp empty?
Comment by Didier Stevens — Tuesday 5 August 2008 @ 18:35
No, both of the two entries having -3 in Counter do have
Last timestamps.
As for the ones having 0 in Counter, Last timestamps are
all empty.
Comment by Nobuyuki Hirato — Wednesday 6 August 2008 @ 2:53
That’s normal. I did some testing with favorites, but couldn’t reproduce the -3 counter.
If you find more info, please let me know.
Comment by Didier Stevens — Thursday 7 August 2008 @ 16:18
OK. I’ll inform you when I find out something further.
Thank you.
Comment by Nobuyuki Hirato — Friday 8 August 2008 @ 11:13
Thank you for your tool – I am looking for an explanation for “session” Is this an incremental # for every logon/boot. Am I correct that this session number only identifies the last session an application was accessed and need to use restore points to obtain if the application was used on a specific day – Thank you! – Paul
Comment by Paul Smith — Thursday 23 October 2008 @ 12:42
I have no definite explanation for the session value.
I’ve not observed an increase of this value for every logon, but I’ve observed increments with 1 about every 24 hours, when the machine was on. Not exactly 24 hours, but a bit longer, and the variance looked random.
Comment by Didier Stevens — Thursday 23 October 2008 @ 17:55
I went to the old listing for your app (http://blog.didierstevens.com) and that led me to “gotdotnet” that no longer exists. Glad I found your new location. I’ve been using NirSoft’s UserAssistView (v1.00) since January09.
Comment by Ronin Vladiamhe — Tuesday 9 June 2009 @ 21:57
Hi Didier
First of all I must tell you that your tool is really great!!! Has been really helpful to me, and I’d need your help with something that has been a really big problem to me.
I need to get all the possible information related to the Quick Launch items, and the applications that have been raised using the Quick Launchbar. In a previous post you said something like this:
Be aware that the UserAssist entries only list how often a program has
been started by a user and when it what last started. So it’s not the
tool to assess how *long* programs were running.
UEME_UIQCUT
Applications launched from the quick launchbar are logged under the
entry UEME_UIQCUT. There is no separate entry with the name or path of
the launched application. I think the logic behind this is the
following: the UserAssist entries are maintained by Windows Explorer
to display the most frequently run applications on the start menu.
Applications launched from the quick launchbar have already their
“special” place on the GUI Windows, so there’s no need to keep stats
about their usage.
Would be really great if you could tell me where is this “special” place, that would solve my problem once and for all.
Sorry my english, and hoping that you can help me soon. I’ll be really thankful for your help,
Yosmel.
Comment by Yosmel — Thursday 2 July 2009 @ 18:31
@Yosmel
I fear you misunderstood me. With “special place on the GUI Windows”, I mean that the Quick Launch items have their fixed place (to the right of the Start button).
Like I wrote: “so there’s no need to keep stats about their usage.” The UserAssist data doesn’t contain info on Quick Launch items
Comment by Didier Stevens — Friday 3 July 2009 @ 15:33
Hi Didier
First of all thanks a lot for your reply.
I just tought that maybe you know where this information was stored on registry.
As you said, “Applications launched from the quick launchbar are logged under the entry UEME_UIQCUT”, and I see that this counter is increased each time you click a quick launch item, so I believe that this information is stored in some place in registry maybe. I’d need to figure out how many times a quick launch item has been clicked, when was the latest time, etc…
But anyway, once again thanks a lot for you reply, and was a pleasure to contact to you. You’re a great coder 🙂 .
My best regards,
Yosmel.
Comment by Yosmel — Friday 3 July 2009 @ 17:31
Maybe you’ll the data, but personally, I believe it doesn’t exist. I’m 100% sure it isn’t logged under the UserAssist registry key.
Comment by Didier Stevens — Friday 3 July 2009 @ 18:11
Hi Didier
Well, I’ll keep trying then. When I saw that the UserAssist registry keep updates the counter for the number of programs that have been launched using quick launch items, I tought that maybe this information was stored in some other registry key. But anyway, thanks a lot for reply.
My best regards,
Yosmel.
Comment by Yosmel — Friday 3 July 2009 @ 18:23
>>> Well, I’ll keep trying then. When I saw that the UserAssist registry keep updates the counter for the number of programs that have been launched using quick launch items, I tought that maybe this information was stored in some other registry key. <<<
Have you tried looking at the Prefetch files? They too keep a counter of how many times an executable has been run.
Comment by Phillip Rodokanakis — Monday 20 July 2009 @ 20:26
Didier or others…
How accurate is the counter? We found a counter for specific piracy software which is telling us the program was started 3950 times. Is the number to be trusted? Or has Windows some hidden/unkown features that can change/increase the number for some reason?
Kind regards from The Netherlands,
Hans Heins
Comment by Hans Heins — Tuesday 4 August 2009 @ 12:41
@Hans
No, I don’t know about Windows hidden/unkown features that can increase the number.
In theory, a program could manipulate his counter (increase it) to appear on the most-used list in the start menu. But I’ve never seen this done in real live.
Comment by Didier Stevens — Tuesday 4 August 2009 @ 15:32
Hello Didier,
The time displayed in the column “last” is in UTC if I am right. (UserAssist version 2.4.2.0)
I think it would be very useful if you can change the column name in to something like “Last used – UTC”
I(and I think many other investigators) deal with a lot of different tools and also with many different timezones due to our International investigations.
If a tool does not clearly mention which timezone is displayed, we have to figure this out each time we use a nice tool, like UserAssist, to do the job.
Thank you in advance,
Kind regards from the Netherlands
Hans Heins
Comment by Hans — Friday 7 August 2009 @ 8:32
Hi Hans,
As we discussed via e-mail, I agree that this is confusing. I’ve added an extra UTC column: https://blog.didierstevens.com/2009/08/11/update-userassist-tool-version-2-4-3/
Comment by Didier Stevens — Tuesday 11 August 2009 @ 16:10
[…] My Software, Update — Didier Stevens @ 16:07 I had an interesting discussion with Hans Heins concerning the timestamp displayed by my UserAssist […]
Pingback by Update: UserAssist Tool Version 2.4.3 « Didier Stevens — Tuesday 11 August 2009 @ 16:16
Hi Didier,
Quick question for you please…
If I have only been given one line of data from a dump of UEME_RUNPATH value, how can I use UserAssist to find the correct values? Should the data be saved in a particular format so I can load it into the tool and then run it?
Thanks,
Kate
Comment by Kate — Thursday 1 October 2009 @ 19:29
@Kate
I don’t suppose you know how to program in C#, otherwise you just use the UserAssistKey class and call the method to decode?
You can try this:
Create a new user on Windows XP (if your sample is from an XP system). Export the UserAssist registry keys with regedit as a text file.
Edit the reg file with a text editor and replace the UEME_RUNPATH value with your value.
Import the reg file with my tool.
Comment by Didier Stevens — Thursday 1 October 2009 @ 19:42
Hi Didier,
Thank you for the wonderful tool.
Just one problem I found is that the UserAssist 2.4.3 cannot work on Win 7.
May I know what’s the matter?
Thanks
Comment by Terry — Monday 28 December 2009 @ 3:11
Because the binary data format of the UserAssist values in Windows 7 and Windows 2008 R2 is new and different.
But I’ve a working version: https://blog.didierstevens.com/2009/10/21/a-windows-7-launch-party-trick/
And I’ve written an article on this for the new Into The Boxes forensic magazine to appear January 1st.
Comment by Didier Stevens — Tuesday 29 December 2009 @ 20:17
Love the program. I am curious about something. I’m trying to create a little custom tool utilizing this great tool and was wondering if there was a switch or something I could imput into a batch file or command line with the executable that would tell it which file to open.
i.e. if I wanted something like this
c:\utilities\userassist.exe \\server1\Profiles\tse\%E%\ntuser.dat
using %E% as my variable (which scripting will input the correct variable info – so just need userassist.exe to open the file)
Thanks again for a great tool
Comment by BR — Tuesday 26 January 2010 @ 18:19
@BR
You can do this with Harlan’s RegRipper: http://www.regripper.net/
That’s why I don’t add this functionality to my tool, I share my research on the UserAssist keys with Harlan and he integrates it in his tool.
Comment by Didier Stevens — Wednesday 27 January 2010 @ 9:50
“Ponomaryoff Maxim”‘s comments are ridiculous.
1. These keys were known before you posted about them.
2. If law enforcement relied on those techniques in ANY criminal investigation, they would be public. Disclosure, and all that. Furthermore, police are not “special”, and able to “own” information. Her comments are ridiculous in this respect. If she believes what she says, she is more well-advised to spend her time complaining about criminal investigation shows on television, as they “teach” criminals how to get away with murder and are seen by millions every night. Ridiculous.
3. There are countless other reasons why people should know about what their computer does that has nothing to do with law enforcement. For example, my UserAssist had grown to pages and pages of information (mostly from me re-orgnizing my StartUp shortcute). I deleted the whole thing and that immediately cut my registry size by 15%.
Comment by Samo — Sunday 21 February 2010 @ 19:51
[…] in. For examinations involving user activity, I may be most interested in the contents of the UserAssistCount keys (log2timeline extracts this data, as well), but the really valuable information from […]
Pingback by Even More Thoughts on Timelines | Event Viewer — Tuesday 6 April 2010 @ 3:52
I’m trying to find out how to associate a GUID found in the UserAssist Reg key to a program (Is GUID the right term here?). I know that IE has been run multiple times on a system as there is quite a bit of Internet History for the browser but I don’t see an entry for it in the UserAssist key. I do have a GUID that has has been run over 500 times but how to I associate the program that was run to that GUID? System is Vista.
Entry= UEME_RUNPIDL:::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0}
Is there a way to find this out?
Comment by Dave — Friday 21 May 2010 @ 5:10
@Dave, Yes, search for the GUID in the registry to find out to which programs it is linked.
Comment by Didier Stevens — Friday 21 May 2010 @ 6:22
Mr. Stevens,
About a year ago, I mentioned my use of UserAssistView (NirSoft). Your app is quite similar. Two questions; (1) Have you ever looked and compared your app to NirSoft’s, (2) Is your app portable?
Comment by RoninV — Wednesday 2 June 2010 @ 23:50
My answer to (2) is YES, after reviewing a separate thread regarding this app.
Comment by RoninV — Thursday 3 June 2010 @ 0:06
@RoninV I seem to remember I looked at it some time ago…
Comment by Didier Stevens — Thursday 3 June 2010 @ 14:29
[…] Programs of Use https://blog.didierstevens.com/programs/userassist/ […]
Pingback by UserAssist | Forensic Artifacts — Wednesday 14 July 2010 @ 15:05
Does the USERASSIST program determine if a user’s executable has been renamed to something innocuous like NotePad or Excel? If all that is being tracked is what programs are being run, how does UserAssist know that the program is the *REAL* program? I don’t see how the output from this could be used as evidence if the user could be hiding the execution of some program by appearing to be running some other program.
Comment by Bill M. — Thursday 22 July 2010 @ 2:52
@Bill M. No, the UserAssist registry keys record the name of the program, renaming a program is not recorded in these keys.
You need other forensic evidence (for example the cache) to establish that notepad.exe is indeed notepad.exe and not another program.
Comment by Didier Stevens — Thursday 22 July 2010 @ 19:13
[…] publicó una nueva herramienta llamada UserAssist que nos permite visualizar una lista de los programas que fueron ejecutados en un sistema Windows, […]
Pingback by Descubriendo qué programas fueron ejecutados en Windows « WEB ANTRIX.TK — Sunday 15 August 2010 @ 6:46
[…] ทีนี้ ในการสร้าง keyword ส่วนใหญ่แล้วเราจะกำหนดเป็นคำธรรมดาๆ ภาษามนุษย์ทั่วไป ทำให้ไม่มีทางค้นหาข้อมูลตรงส่วนที่ถูกเข้ารหัสนี้ได้ ดังนั้นวิธีการก็คือใช้โปรแกรมช่วย decode ข้อมูลใน registry ออกมา แล้วดูว่าเครื่องนั้นมีโปรแกรมอะไรที่เคยทำการติดตั้งลงไปบ้าง อ่านเพิ่มเติมได้ที่https://blog.didierstevens.com/programs/userassist/ […]
Pingback by เข้ารหัสข้อความง่ายๆ ด้วย Rot13 | Technology Crime Suppression Division (TCSD) — Thursday 2 September 2010 @ 17:11
[…] Más información sobre UserAssist >> […]
Pingback by Herramienta: UserAssist | Informatica Forense – Pericias Informaticas — Thursday 9 September 2010 @ 3:38
Hi.
Would just start by saying that this is a great site that you have.. I have really gathered a lot of information regarding userassist values here. 1 question remains:
Have you ever discovered what causes the -3 values in the counter? I have quite a few of thoose entries and can’t really stand in court and say that i dont really know what causes the negative values.
I’ve written an EnScript (EnCase) to decrypt and display the values. But once again I do not know what causes the +2 counter values (Which in turn becomes -3 after substracting 5 in XP)
I COULD just ignore them, but it really bugs me not knowing what they stand for.
I can see that another visitor at this site has asked about the same question, but it remained unresolved…
Comment by Rasmus Riis — Monday 27 September 2010 @ 8:11
@Rasmus Riis This -3 value remains an open question. I’ve not been able to reproduce this, and for obvious reasons, people who reported this were not able to share their sample.
Comment by Didier Stevens — Monday 27 September 2010 @ 8:58
Ok… Obviously I cant send you the ntuser.dat that im working on, but if you like, i could e-mail you a sample og an ntuser.dat from my home computer? I know that -3 is in that as well..
Comment by Rasmus Riis — Monday 27 September 2010 @ 9:08
[…] UserAssist […]
Pingback by » Free Computer Forensic Tools — Saturday 6 November 2010 @ 3:46
[…] UserAssist […]
Pingback by » Ferramentas Livres para Forense Computacional — Saturday 6 November 2010 @ 3:55
[…] XP saves the full path and name of the program, last access and the number of total executions. UserAssist is a nice little tool that decrypts the information and displays them it its main window. You can […]
Pingback by Windows stores information about the programs that you use — Wednesday 1 December 2010 @ 21:07
When trying to analyze the ntuser.dat file, UserAssist states “The file didn’t contain UserAssist data”. I noticed someone else had the same issue posted on this site, but when I tried to review the possible solutions…none of it really helped out.
Can you please tell me what would cause this error and how to go about fixing it. Can programs that wipe ntuser.dat have an affect on it as well?
Thanks
Comment by OMBM — Tuesday 21 December 2010 @ 14:28
@ombm try to load the hive with regedit, when thsis works, it will work with UserAssist
Comment by Didier Stevens — Tuesday 21 December 2010 @ 15:40
Good day, Didier! It’s me again =)
I’ve spent some time to investigate a new version of the UserAssist key in Windows 7 and have read your article about a new format for the binary value data (Into The Boxes, Jan 2010, http://intotheboxes.files.wordpress.com/2010/04/intotheboxes_2010_q1.pdf). And now I wanna say about detected problems.
1) You wrote: “From bytes 0 to 3, we find a 32-bit integer that is always zero…”
I checked three randomly selected computers and found that it wasn’t so. I found 0x00000001, 0x0000000A and 0x00000004 values instead of zero. This values are constant for chosen computers. It’s amazing! What do you think about it? Why these values are so various? And what these values can mean? I guess it may be associated with the operating system version, but unfortunately I had too little time to refute or confirm this hypothesis.
2) You wrote: “From bytes 8 to 11, we find another 32-bit counter. This counter is usually larger than the program-execution counter, and I believe it counts the number of times an application receives focus…”
In my case, all these values were never larger than the program-execution counters. For example, when a ProgExec counter was equal 16, the appropriate “focus” counter could be equal 5.
Yours sincerely, P.M.E.
Comment by P.M.E. — Monday 27 December 2010 @ 11:22
@P.M.E. Thanks for sharing your observations, I’ll need revisit this.
Comment by Didier Stevens — Tuesday 28 December 2010 @ 11:21
I try to For advanced users, there’s another key worth looking as as it’s an invite to any Trojan that bypasses your protection.
You can find more info on this by Binging UserAssist
Secure your PC with the following reg changes:
Navigate to
HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\UserAssist\
Delete all the subkeys
Add a new sub key called Settings
Add a new Dword entry under Settings named NoEncrypt with a value of 1
Add a new Dword entry under Settings named NoLog with a value of 1
But it doesn’t work and all was recreated again.
Hope you can help me solve this problem.
Gilbert Parent
Canada
Comment by Guil Paré — Friday 21 January 2011 @ 22:31
@Gilbert Disabling logging like you describe it works only till Windows XP. Starting with Windows Vista, you need to use other keys:
My UserAssist program allows you to enable/disabling logging correctly on the different versions of Windows.
Comment by Didier Stevens — Friday 21 January 2011 @ 23:06
First of all – thank you Didier for this nice write up. And here’re my 2 cents: those first 4 bytes of UEME_CTLSESSION’s value are last 4 bytes of FILETIME structure shifted to the left by 29 bits representing the session’s start timestamp. Something like this could get you that date back – DateTime.FromFileTimeUtc(Convert.ToInt64(first4BytesAsInt32)<<29).
Comment by Vasily Kolobkov — Friday 15 April 2011 @ 23:10
Sorry, made a mistake – initially filetime structure was shifted to the right. Thus we are shifting it to the left to restore the date.
Comment by Vasily Kolobkov — Friday 15 April 2011 @ 23:18
@Vasily Kolobkov Thanks for the info Vasily.
Comment by Didier Stevens — Saturday 16 April 2011 @ 6:20
Hi,
I tried v2.4.3 on windows 7 64-bit; it showed nothing even after I clicked “Load from
local registry”. I assume that’s the way to display what is supposed to be currently
stored in the registry.
Perhaps you have a later version that I missed?
Perhaps the utility does not work on windows 7 64-bit?
PS. I ran the utility with and without “as administrator”
Comment by Dave — Monday 18 April 2011 @ 15:53
@Dave This version doesn’t support Windows 7 (the format has changed). Take a look here for Windows 7:
Comment by Didier Stevens — Monday 18 April 2011 @ 17:44
Hi,
I have identified the registry created for my software in “Most often used programs”
The entry is:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Cebtenz Svyrf\Cnvag.ARG\CnvagQbgArg.rkr
I wanted to remove my program from the “Most Often Used Programs list, so I deleted the above mentioned registry entry but still it shows up in most often used programs, when I click on “Start”. How do I do this programmatically ?
Comment by Himanshu — Wednesday 27 April 2011 @ 6:53
@Himanshu You restarted explorer.exe?
Comment by Didier Stevens — Wednesday 27 April 2011 @ 8:09
[…] UserAssist […]
Pingback by Free computer forensic tools — Wednesday 25 May 2011 @ 11:37
[…] What’s not quite as well known, though, is that Windows also maintains a longer and separate history of all the programs launched on your computer, including details like the number of times they’ve been run, and the last execution date and time. This information is stored in the Registry (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist), but it’s encrypted, so you’ll need something like the free UserAssist tool to find out more (for Windows 7 use this version –for Windows XP or Vista go here). […]
Pingback by UserAssist uncovers Windows activity logs - Fabtechguy.com — Monday 18 July 2011 @ 23:39
[…] What’s not quite as well known, though, is that Windows also maintains a longer and separate history of all the programs launched on your computer, including details like the number of times they’ve been run, and the last execution date and time. This information is stored in the Registry (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist), but it’s encrypted, so you’ll need something like the free UserAssist tool to find out more (for Windows 7 use this version –for Windows XP or Vista go here). […]
Pingback by UserAssist uncovers hidden Windows activity logs | Information Technology Leader — Wednesday 20 July 2011 @ 7:54
All I got is blank window, no information at all 😦
Comment by Jari — Sunday 24 July 2011 @ 8:09
@Jari I assume you’re trying this on Windows 7? Then you should read comment 108.
Comment by Didier Stevens — Sunday 24 July 2011 @ 8:30
Oh, yes I use Windows 7, my fault. Thank you!
Comment by Jari — Sunday 24 July 2011 @ 8:52
Do you have any command line switches? Thanks
Comment by Jim — Sunday 24 July 2011 @ 14:21
Well, it’s all very interesting if you’re a programmer….I’m an ORDINARY user. Can you explain, in English, the SIMPLE, 1,2,3 steps…go here,click, here, do this or that in order to use this program?
Thanks,
Babs
Comment by Babs — Sunday 24 July 2011 @ 15:48
@Jim No, and that’s by design, beause you should use Harlan Carvey’s RegRipper for command-line operations.
Comment by Didier Stevens — Sunday 24 July 2011 @ 15:56
@Babs No, this is a forensic tool, it is not designed for ORDINARY users. You should not use it.
Comment by Didier Stevens — Sunday 24 July 2011 @ 15:57
I have Win XP SP3. When I run UserAssist, I get zero entries in the table. Even after running several programs, there’s nothing in UserAssist. What am I missing?
Comment by George Rezac — Monday 25 July 2011 @ 0:12
@George Do you know how to use regedit?
Comment by Didier Stevens — Monday 25 July 2011 @ 1:40
Yes.
Comment by George Rezac — Monday 25 July 2011 @ 12:10
@George OK, then take a look at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerUser\Assist
You should find 2 keys ({5E6AB780-7743-11CF-A12B-00AA004AE837} and {75048700-EF1F-11D0-9888-006097DEACF9}), and under these keys you should find many more keys.
Should these keys be missing, then it explains why you don’t see anything.
Comment by Didier Stevens — Monday 25 July 2011 @ 12:55
Each key has one subfolder: Count. There are no keys. OK, so that’s why your program isn’t showing anything, but WHY don’t I have any keys there? I sure haven’t deleted anything.
Comment by George Rezac — Monday 25 July 2011 @ 13:02
@George So there are no REG_BINARY entries under the count keys? Do you use a registry cleaner, or some other maintenance program? Some of them clean these keys.
Comment by Didier Stevens — Monday 25 July 2011 @ 13:08
Each Count folder has the same REG_BINARY entry: HRZR_PGYFRFFVBA with a value of all zeroes. In addition to the two keys, UserAssist has one more folder: Settings, with Default (value not set) and NoLog (value 1).
Yes, I do use various registry cleaners, but I ran your program after opening several applications.
Comment by George Rezac — Monday 25 July 2011 @ 13:17
@George It must be the combination of registry cleaners and the NoLog value. When NoLog is equal to 1, no records are added to the registry keys. You can reset NoLog with my UserAssist program.
Comment by Didier Stevens — Monday 25 July 2011 @ 13:35
[…] UserAssist […]
Pingback by 포렌식 도구 모음 (Digital Forensics Tools) | FORENSIC-PROOF (Digital Forensics Community) — Thursday 1 September 2011 @ 4:09
[…] UserAssist utility displays a table of programs executed on a Windows machine (It works best for XP but there is a non […]
Pingback by What Has Run On My PC? | Real Coding!! — Thursday 29 September 2011 @ 3:23
[…] blog online. This registry key stores data that is ROT13 encrypted and there are a number of free tools out there to decrypt these values from the […]
Pingback by EnCase EnScript to search for keyword in ROT13 or XOR » Digital Evidence — Saturday 22 October 2011 @ 16:42
[…] adındaki aracı indirip sadece çalıştırarak bu listeye ulaşmanız mümkündür. Aracın XP/Vista sürümünü bu adresten, Windows 7 sürümünü ise bu adresten […]
Pingback by Windows’un sizi izlemekte kullandığı 5 yol! | Haber – Mekanı — Tuesday 15 November 2011 @ 16:38
[…] UserAssist database can help. Just install the free UserAssist program (see the comments for a link to a Windows 7-compatible version) to see the database, or disable […]
Pingback by Tutorial: More hidden Windows tips tricks and shortcuts — Sunday 20 November 2011 @ 7:01
[…] from Nirsoft.net userassist from Didier Stevens Categories: Tech Tip Tags: nirsoft, tools, userassist Comments (0) […]
Pingback by Techish Blog » Microsoft Windows UserAssist — Wednesday 30 November 2011 @ 3:25
[…] adındaki aracı indirip sadece çalıştırarak bu listeye ulaşmanız mümkündür. Aracın XP/Vista sürümünü bu adresten, Windows 7 sürümünü ise bu adresten […]
Pingback by Windows’un sizi izlemekte kullandığı 5 yol! | Teknocin — Friday 2 December 2011 @ 6:52
[…] UserAssist […]
Pingback by 101 utilidades forenses | Blog de Seguridad Informática — Tuesday 6 December 2011 @ 8:25
I found your program really useful. Is there going to be an update for windows 7? Thanks very much
Comment by redesyseguridad — Thursday 8 December 2011 @ 6:21
@redesyseguridad Yes, https://blog.didierstevens.com/2009/10/21/a-windows-7-launch-party-trick/
Comment by Didier Stevens — Thursday 8 December 2011 @ 20:45
[…] adındaki aracı indirip sadece çalıştırarak bu listeye ulaşmanız mümkündür. Aracın XP/Vista sürümünü bu adresten,Windows 7 sürümünü ise bu […]
Pingback by Windows sizi gözetliyor! | Chat, Sohbet,chat siteleri, chat odalari — Monday 12 December 2011 @ 19:32
Great tool. I found your program is very useful. It seems working fine and I am able to see all the run count information on XP, Windows 7 and Windows 2008.
However, registry values (run count, focus count and focus time) under UserAssist have seen an mysteriously reset somehow: the run count information came back to 0 and starting increment if a program runs again. And I don’t recall I have done anything to the registry key/value. This happens on Windows 2008 yesterday, which I thought was an accident and tried to forget it but this happen again on Windows 7 again. I am still watching to see if it happens again but I am not able to reproduce again.
Has anyone seen similar behavior?
Comment by JamesZ — Thursday 29 December 2011 @ 22:24
I think I’ve seen this when you disable UserAssist in Windows.
Comment by Didier Stevens — Friday 30 December 2011 @ 9:44
Thanks for your quick response.
I don’t recall I ever did that twice on different machines. Besides, if it is disabled, does the counter still increment ?
Comment by JamesZ — Friday 30 December 2011 @ 15:43
@JamesZ No, it would not.
Comment by Didier Stevens — Saturday 31 December 2011 @ 13:15
To follow up my earlier post, I still see the run count somehow got changed to lower value but I can’t figure out conditions.
Another thing –
When I run a program, for example, notepad from dos box, the utility does not pick up the run count.
However, it does pick up when you either run from start menu or double click a .txt file.
Is that right? If that’s the case, is there any way to track a program running from a dos box.
Comment by JamesZ — Friday 6 January 2012 @ 17:42
@JamesZ Yes, that’s normal behavior, UserAssist keys register interactive program launches via Explorer. Not the cmd box.
Comment by Didier Stevens — Sunday 8 January 2012 @ 8:31
It seems the information stays consistent across different users.
From the registry key name, it appears that it should only tell the run count information of the “current user”. However, when I tried other users, local or domain. As far as on my systems, the usage information does not depends on the user. For example, if one user runs “notepad.exe” for 10 times, registry value reflects that as well as the tools, but with a new user, the registry entry value also shows 10 for “notepad.exe”, so does the tool.
Can you confirm that? Is there a way to change the policy or profile to make the usage tracking information for per user?
Thanks
Comment by JamesZ — Wednesday 11 January 2012 @ 19:59
@JamesZ I’ve no idea why your system is doing this. It shouldn’t. I’ve not seen that before, and you’re the first to report this to me.
Comment by Didier Stevens — Wednesday 11 January 2012 @ 20:17
After I tried with more fresh system. I do see usage varies from user to user.
I think some my systems (vm) were created based on template and sysprep, which already have things and values preoccupied in the registry and I was not careful enough to check line by line but only some values on the top, which seem do not change from user to user. My apology and your quick response is highly appreciated.
Comment by JamesZ — Wednesday 11 January 2012 @ 22:37
[…] of data and have it converted. Alternatively, a very useful utility that can be run locally is UserAssist, which besides looking in HKCU can also read exported reg files and ntuser.dat. This would be more […]
Pingback by A Quick Glance At The UserAssist Key in Windows « Windows Explored — Monday 6 February 2012 @ 15:37
Does Userassist check only the current user or can it check all users that use Windows? I would like to be able to track how often programs are used no matter who has logged in.
Comment by Jason — Thursday 16 February 2012 @ 1:41
@Jason Current user and exported registry from any user.
Comment by Didier Stevens — Friday 17 February 2012 @ 7:34
It’s a great program but I guess it only tracks software started through the Start Menu. We have several programs installed but are not tracked for some reason. They are started by clicking on desktop shortcuts and are not showing up in the software.
Comment by Jason — Friday 17 February 2012 @ 16:33
@Jason It is important to understand that my program does not track anything. It just decodes what Windows Explorer tracks.
Desktop shortcuts are also tracked by Windows Explorer’s UserAssist technology. They show up as .lnk files.
Comment by Didier Stevens — Friday 17 February 2012 @ 17:17
Hi Didier- You did the community a great favor by publishing your findings and the UserAssist tool. One thing that appears to be difficult is making sense out of particular UEME_UITOOLBAR entries that have 130 and 120 associated with them. After spending an hour looking around via search engines , found only republished portions of Harlan Carvey’s book that touches on the subject of the UEME_UITOOLBAR, but really nothing deeper. I even resorted to and digging through MSDN but got deep into the weeds. Do you have a cheat sheet to the popular entries one would find associated with the user interactions with UITOOLBAR?
tm
Comment by TM — Wednesday 29 February 2012 @ 19:48
@TM No, unfortunately I have no cheatsheet. I know MSDN will not help you, but maybe the header files of the Platform SDK have more info.
Comment by Didier Stevens — Thursday 1 March 2012 @ 14:37
FYI, on my Windows 7 Pro x64 machine, the subkeys under the UserAssist key have different values. The only way to get your program to read them was to export the UserAssist key and change the subkey values to the ones you have listed above. Perhaps you should change your program to read any subkeys listed uner UserAssist instead of reading only the listed keys.
Comment by Louis — Friday 9 March 2012 @ 18:28
@Louis Take a look at this: https://blog.didierstevens.com/2009/10/21/a-windows-7-launch-party-trick/
Comment by Didier Stevens — Friday 9 March 2012 @ 21:28
Thanks!
Comment by Louis — Friday 9 March 2012 @ 21:39
[…] adındaki aracı indirip sadece çalıştırarak bu listeye ulaşmanız mümkündür. Aracın XP/Vista sürümünü bu adresten, Windows 7 sürümünü ise bu adresten […]
Pingback by Windows bizi gözetliyor.. | Pcweb — Friday 23 March 2012 @ 17:20
[…] RegRipper – includes rip, ripXP, and regslack MiTeC Registry File Viewer Didier Stevens’ UserAssist Pwdump7 or SAMInside – great way to get password hashes for […]
Pingback by Free Tools | Herouxapps (Home of Freeware) — Wednesday 18 April 2012 @ 23:38
[…] UserAssist […]
Pingback by 101 Utilidades Forenses « Tecnologia al Dia — Tuesday 8 May 2012 @ 14:23
Thanks Didier, Mr Stevens, for the info and great tool which I have just downloaded.
I have my XP Pro setup to use the old Win 2k style start menu, so that those user assist entries inasmuch as the serve the purpose you discovered are utterly useless to me – why Windows still gathers the statistics is a mystery…
Just a FYI, the Google Chrome browser tried to scare us into NOT downloading your zip under the curious pretense that : “this file is seldom downloaded. Are you sure you want to take risks, etc. blah blah…. ? “
Comment by Oldtimer — Sunday 15 July 2012 @ 18:01
@Oldtimer The data is not only used for the start menu, but also for the uninstall control panel.
Comment by Didier Stevens — Monday 16 July 2012 @ 19:36
I have tried your theory on the focus time, I’m not sure if I agree. I took the calc.exe from system32 and copied it to the c:\temp directory. I executed it from there. I did not get an error message, nor I got a running program. UserAssist did have an entry for the newly executed program that never showed up, but the focus time/counter was all zeroes. I tried to make a minor change to the executable to change its hash value and changed its name. Win7 would never execute the program from c:\temp, but UserAssist did counted all attempts. The focus time/counter was zero. I typed the name into the start menu with the path where I could see the executable name in my c:\temp directory and the focus time/counter still did not change. I have copied a program I wrote to c:\temp and launched it. It ran just fine and the focus counter showed values based on how long I’ve ran the program. Thus, it seems to me that your focus counter might be related to some sort of Windows File protection where files known to Windows can only run from certain folders and it should show if the program successfully executed or not. I hope, others can replicate this and find the answer.
Comment by zoltandfw — Saturday 6 October 2012 @ 4:18
@zoltandfw It’s important that we know with what Windows version and what type of account you did your test for us to try to reproduce.
Comment by Didier Stevens — Saturday 6 October 2012 @ 4:35
Looking forward to see what your conclusions will be.
User is a member of “Home Users” and “Administrators” groups.
OS Name: Microsoft Windows 7 Professional
OS Version: 6.1.7600 N/A Build 7600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
System Manufacturer: Dell Inc.
System Model: Latitude D620
System Type: X86-based PC
Processor(s): 1 Processor(s) Installed.
[01]: x86 Family 6 Model 14 Stepping 8 Genuine Intel 2000 Mhz
BIOS Version: Dell Inc. A08, 4/3/2007
Comment by zoltanszabodfw — Sunday 7 October 2012 @ 4:32
@zoltanszabodfw I can’t reproduce your first step. When I copy calc.exe to the temp directory, I can run it from there. Something must be preventing execution on your machine.
Comment by Didier Stevens — Wednesday 10 October 2012 @ 17:47
If I run the following code, it loads the calc.exe from its original location and gets an exit code 0, but if I replace the path to c:\temp, then I get an exit code of 1. I could not find what exit code 1 signified. It might worth to try the focus time with executables that return different exit codes and see how the focus time is updated. I know if you can not recreate what I see, you can not verify my findings, but every time I try it, I get the same results. I’ll keep digging to see if I can find out why this happens. Thanks for looking into this and I hope there will be an answer one day. Anyway, I love your program and keep up the great work you do.
Dim objShell,oExec
Set objShell = wscript.createobject(“wscript.shell”)
Set oExec = objShell.Exec(“calc.exe”)
WScript.Echo oExec.Status
WScript.Echo oExec.ProcessID
WScript.Echo oExec.ExitCode
Comment by zoltanszabodfw — Wednesday 24 October 2012 @ 2:22
I can only assume this program does not work in Windows 7 64bit. I’ve never had it work, however a few years ago I had it work on a XP machine. This could be a great tool if it worked on current systems.
Comment by Anonymous — Thursday 2 May 2013 @ 18:37
@Anonymous Take a look here: https://blog.didierstevens.com/2012/07/19/userassist-windows-2000-thru-windows-8/
Comment by Didier Stevens — Friday 3 May 2013 @ 8:53
[…] quick search on Google talks about UserAssist and of someone that developed a tool to see its data… looking at the source, it seems windows is storing information inside registry about every […]
Pingback by Reversing data and the Scientist method | AO-Sec — Monday 20 May 2013 @ 0:48
There are 72 bytes information, but display only 24 bytes. What about other bytes? What are they meaning?
Comment by Logioniz — Wednesday 26 June 2013 @ 22:39
Sorry, i post previous message for windows 7 and 8 and for version of programs 2.6.0
Comment by Logioniz — Friday 28 June 2013 @ 7:20
@Logioniz That’s not clear yet.
Comment by Didier Stevens — Saturday 29 June 2013 @ 22:15
Didier, doing a preliminary security audit, I just found out an application is accessing the UserAssist keys – should I worry, is this an issue? Are there legitimate reasons to do this or do you know of other applications accessing the keys?
Do you happen to know “who” (which process, or the Windows kernel?) is supposed to read/write this key in normal operation?
Thank you, kind regards
Ben
Comment by Ben — Sunday 28 July 2013 @ 20:02
@Ben Normally the explorer.exe process uses these keys. Prior to Windows 7, the code for this was in browseui.dll. Don’t know in which DLL it is for Windows 7 & 8.
Is this application writing to the keys, or just reading them?
Comment by Didier Stevens — Sunday 28 July 2013 @ 21:32
@Didier I have not established that by now (how would you do that most easily? – normal debugging and reversing is out of question as the executable is heavily armed… maybe the easiest way would be a VM and WinDbg to go for the kernel registry APIs) but I think only reading. I just noticed when going through Process Explorer.
I wonder what might be a legitimate reason for such behavior… Why would you do that if your application did something totally different? What could be the intention behind this?
Comment by Ben — Friday 2 August 2013 @ 15:12
@Ben Use Process Monitor to log all activity from said application. Then use the tools menu to view registry activity of the application, and see to what keys it wrote.
I’ve been contacted several times by developers with question on how to make their application appear high in the start menu.
Comment by Didier Stevens — Friday 2 August 2013 @ 16:53
@Didier great hint, thank you, sometimes you forget about the most obvious things. Maybe startmenu cheating is the reason.
Comment by Ben — Friday 2 August 2013 @ 18:15
@Ben Take a look at Aaron’s presentation at TechEd on Sysinternals tools http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B313
Comment by Didier Stevens — Friday 2 August 2013 @ 21:42
[…] UserAssist […]
Pingback by Tools » Damul's Blog — Thursday 29 August 2013 @ 2:10
Great program! Any chance you can make it process more than one file at a time, or point it at a directory containing numerous registry files. This would be really helpful when dealing with restore points and trying to make a master timeline.
Comment by Anonymous — Friday 4 October 2013 @ 14:50
@Anonymous Have you looked at RegRipper for this?
Comment by Didier Stevens — Sunday 6 October 2013 @ 18:06
Wow, what an unbelievable ad hominem attack by Ponomaryoff Maxim E. And then to back away and say he was not accusing you of being a virus author – ridiculous backtracking. i’m glad you stood your ground. There is nothing wrong with presenting this information, by any realistic and professional standard of practice.
Comment by Anonymous — Monday 5 May 2014 @ 14:44
[…] UserAssist […]
Pingback by Registry analysis | Area-6 - Security and Code Snippets ༼ຈل͜ຈ༽ — Saturday 27 September 2014 @ 20:10
[…] UserAssist […]
Pingback by Free computer forensic tools | Ikatlah Ilmu Dengan Menuliskannya — Thursday 23 October 2014 @ 11:50
[…] UserAssist is a nice little tool that decrypts the information and displays them it its main window. You can clear single entries by right-clicking and selecting clear. If you do have many entries in that list you might want to clear them all by clicking on commands, clear them all. […]
Pingback by Windows stores information about the programs that you use — Tuesday 4 November 2014 @ 13:58
[…] UserAssist […]
Pingback by Forensic Tools | Hendro Wijayanto — Wednesday 5 November 2014 @ 3:48
@Didier
Hello,
Great tool! However, got a question… What are all the folders and identity docs created when UserAssist is run?… location “username”/local settings/application data/Isolatedstorage folder. Why are they created every time UserAssist is run? Are they used or needed by the program, or just trash? Why so many folder creations?
Thanks!
Comment by wilson — Tuesday 2 December 2014 @ 6:56
I use .NETs isolated storage to save the settings
Comment by Didier Stevens — Wednesday 3 December 2014 @ 8:17
Hi dear Didier! I using your tool a long time and i great.Thank you.
Comment by Heli — Thursday 22 January 2015 @ 21:11
Hello, just found this article while trying to figure out a good method of deciding which programs to migrate from my HDD to my new SSD. I found both your tool and the article extremely helpful. Thank you!
I see that (years ago) some people have been commenting saying that they think posting this was a bad idea as it could potentially tip criminals off on how to cover their tracks. While that could potentially be true, it does not mean that we should not all have this information. These are our computers, and we all have a right to know what is going on inside them! To make an extreme example, an understanding of the mechanisms of an operating system could potentially enable someone to create a virus for said operating system. Does that mean that computer science departments shouldn’t teach operating systems courses at universities? Does that mean that people should not publish academic papers on them? Of course not! This is much the same: those of us that want to use this tool for honest, practical purposes should be able to, even if it could potentially enable a few people to use it for malicious purposes.
Anyways, just wanted to lend my support and say thanks!
Comment by MattEnTheHat — Friday 30 January 2015 @ 11:07
[…] На рисунке изображена запись об использовании Панели управления, сделанная в системе Windows XP. Необходимо обратить внимание на префикс “UEME_RUNCPL”, с которого начинается каждая строчка. Это идентификатор, используемый в системах XP и Vista для обозначения действий, связанных именно с выполнением апплетов Панели управления. В нашем случае мы видим, что пользователь запускал четыре разных апплета, всего 10 раз. Последний раз апплет был запущен 4 мая 2013г в 21:41:41. Инструмент для сбора доказательств UserAssist был разработан Дидье Стивенсом. […]
Pingback by Расследование манипуляций с панелью управления. Часть 1 | FNIT.RU — Wednesday 15 April 2015 @ 19:20
Hi! I’m searching for a way to check how many discs (CD/DVD) a given Windows Vista user has burnt (in general) using third party application (that app does not create visible/ .txt logs). Could you/ anyone help? Do you/ anyone know any records/ entries/ artifacts that can be useful in obtaining such information? Thanks in advance.
Comment by TheFruiter — Sunday 13 September 2015 @ 9:59
@TheFruiter No, sorry.
Comment by Didier Stevens — Sunday 13 September 2015 @ 21:48
Is this tool stil relevant in Windows 8.1 and 10? Can i get this in a .dll form cos I’m not familiar with C# or .net and just want to use this from IronPython.
Comment by Throu — Sunday 13 December 2015 @ 11:10
@ThrouWhat do you mean with relevant?
Comment by Didier Stevens — Sunday 13 December 2015 @ 16:02
I’m trying to load offline “NTUSER.DAT” copied from Windows 2008 R2 Server machine, but it says “The file didn’t contain UserAssist data”. I’m able to load file using “regedit”. Any suggestion?
Comment by Anonymous — Monday 7 March 2016 @ 18:02
Are you matching bitness? Source and analysis machine must be both 32-bit or 64-bit.
Comment by Didier Stevens — Monday 7 March 2016 @ 20:43
yes both machine are 64 bit, anyway I exported UserAssist key to .reg file and opened it with your tool, thanks! I may do more debugging for the issue when I have time.
Comment by Anonymous — Tuesday 8 March 2016 @ 9:50
[…] UserAssist […]
Pingback by 140 Herramientas Gratuitas para Análisis Forense - Un Investigador Digital Forense — Friday 10 June 2016 @ 17:53
[…] UserAssist : Displays list of programs run, with run count and last run date and time https://blog.didierstevens.com/programs/userassist/ […]
Pingback by Free Computer Forensic Tools « Gerald's Brain Dump — Wednesday 21 September 2016 @ 13:43
[…] UserAssist : Displays list of programs run, with run count and last run date and time https://blog.didierstevens.com/programs/userassist/ […]
Pingback by COMPUTER FORENSIC TOOLS – DIGITAL FORENSICS | CYBER OF THINGS — Tuesday 27 December 2016 @ 11:18
[…] UserAssist […]
Pingback by 140 Herramientas Gratuitas para Análisis Forense - REDLIF — Thursday 29 December 2016 @ 21:26
Hi Didier, great tool. What appears to me is that this program will need to be run locally on a machine and will provide the usage statistics for only the logged in user. Is there a way to get this information for all the users on the machine in one go? There must be as the registry is saving the data somewhere and then populating the HKEY_CURRENT_USER based on who is the user logged in. In other words is there a way to visualize the HKEY_CURRENT_USER for all users through a program?
Comment by AN — Wednesday 5 April 2017 @ 13:09
Not with my tool, but there are many command line tools, like http://www.forensicswiki.org/wiki/Regripper
Comment by Didier Stevens — Thursday 6 April 2017 @ 6:53
re: Post #22 Using Regedit to convert Ntuser.dat to a reg file
D. Stevens: I am examining a mounted Windows 10 image. The objective is to use your tool to examine the Userassist data in the Ntuser.dat of that image.
I verified that Ntuser.dat, the file copy, and the loaded hive contain Userassist data. However, when I proceeded to load the new “investigation.reg” file in UserAssist 2.4.3, I still receive the error ‘The file didn’t contain UserAssist data”. What do you suggest ?
Comment by Orit — Wednesday 4 April 2018 @ 17:39
I’ll take a look
Comment by Didier Stevens — Monday 9 April 2018 @ 6:33
currently experiencing the same problem as Orit (— Wednesday 4 April 2018 @ 17:39) however I am using version 2.6.0.
Comment by Geoff Rempel — Monday 18 June 2018 @ 22:06
Getting the error: The file didn’t contain UserAssist data” ? Right click the .exe and run as admin. Solved my Problem.
Comment by Craig Cilley — Thursday 16 August 2018 @ 12:33
[…] That was an interesting request: I did not know Nessus came with such a plugin, although I’m very familiar with the UserAssist registry keys. […]
Pingback by Nessus’ UserAssist Plugin – NVISO Labs — Monday 28 October 2019 @ 10:22