Didier Stevens

UserAssist

The UserAssist utility displays a table of programs executed on a Windows machine, complete with running count and last execution date and time.

Windows Explorer maintains this information in the UserAssist registry entries. My program allows you to display and manipulate these entries.

userassistv2a.PNG

I posted my program (source code and binaries) here. Download the ZIP file, you’ll have to extract UserAssist\UserAssist\bin\Release\UserAssist.exe to get my program. There is no setup, it’s just one executable. You’ll need the .NET Framework 2.0 runtime to run my program (download it only if you have a problem running my program, if you have an up-to-date version of Windows XP, the .NET 2.0 Framework will already be installed).

I also maintain a Windows Live CD plugin for my UserAssist utility.

Program features and operation is described in the About box:

The program UserAssist displays a list of the programs run by a user on Windows.

Windows Explorer displays frequently used programs on the left side of the standard XP Start menu.
The data about frequently used programs is kept in the registry under this key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist

This program decrypts and displays the data found in the registry under the UserAssist key.

When started, the program retrieves the data for the current user and displays it.
The display is not refreshed automatically when Windows Explorer updates the registry entries.
To refresh the display, execute the 'Load from local registry' command.

Columns in the listview:
Key:
this value is {5E6AB780-7743-11CF-A12B-00AA004AE837} or {75048700-EF1F-11D0-9888-006097DEACF9}
those are the keys found under the UserAssist key, and are included in the list view to distinguish the entries.

Index:
a running counter, indicating the sequence of values in the registry
At first, the entries are listed in the sequence they appear in the registry. You can sort columns by clicking on the header.
To revert to the original sequence, sort the column Index and then the column Key

Name:
The name of the value registry entry. This references the program that was run. This key is ROT13 encrypted, the displayed name is decrypted.
There is a registry setting to prevent encryption of the log, but this program does not support this setting.

Unknown:
a 4 byte integer, meaning unknown. It appears to be present only for session entries (UEME_CTLSESSION).

Session:
This is the ID of the session (a 4 byte integer).

Counter:
This is the number of times the program was ran (a 4 byte integer).

Last:
This is the last time the program was ran (a 8 byte datetime).
The value is displayed with the timezone of the machine running this UserAssist tool.
Watch out for time zone differences when importing a REG file from a system with different regional settings.

Last UTC:
This is the last time the program was ran (a 8 byte datetime) in UTC. 

Commands:

'Load from local registry'
Displays the data for the current user.

'Load from REG file'
Loads a REG file and imports the UserAssist key.
This command doesn't check the full path of the UserAssist key, thus allowing the analysis of NTUSER.DAT hives loaded and exported with another path.
Use this command if you cannot run the program on the machine you want to analyze.
Loading the data from a REG file disables editing commands.

'Load from DAT file'
Loads a registry hive file (a DAT file like NTUSER.DAT) and imports the UserAssist key.
The DAT file is temporarily loaded in the registry under the USERSLoadedHive key. Be sure to have the local admin rights to access the file and load it.
Use this command if you cannot run the program on the machine you want to analyze.
Loading the data from a DAT file disables editing commands.

'Highlight'
Allows you to type in a search string (a regular expression is accepted), each entry matching this string will be highlighted in red.
The highlighting stays active during reloads. Type an empty string to disable the highlighting.

'Save'
This saves the data as a CSV file or a HTML file (choose file type).
'Clear All'
This deletes the {5E6AB780-7743-11CF-A12B-00AA004AE837} and {75048700-EF1F-11D0-9888-006097DEACF9} keys.
All data is lost, and no new data is recorded until Windows Explorer is restarted.
This will impact the frequently run program list on your Start Menu, and maybe other things. I had no other side-effects on my test machines.
This command is disabled when a REG file is loaded.

'Logging Disabled'
Enabling the 'Logging Disabled' toggle allows you to permanently disable the logging of user activity in the UserAssist keys by creating a value
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistSettingsNoLog equal to 1.
Disabling the 'Logging Disabled' removes the NoLog value (apparently, setting it to 0 doesn't prevent logging).
This setting is only effective after Windows Explorer is restarted.
This command is disabled when a REG file is loaded.

Right-clicking an entry will display a menu:

'Clear' will delete the selected entries. The index field of the remaining entries is not changed, they only change after reloading the registry.
This command is disabled when a REG file is loaded.
'Explain' will analyse the contents of the name field and try to explain its meaning (based on empirical data).
userassist_explain_1.png
This program has been tested on Windows XP SP1, SP2, Windows 2003 and Windows Vista.
Microsoft doesn't publish official documentation for UserAssist data. I've found info on the WWW (google for UserAssist) and I discovered the meaning of the binary data through trial-end-error testing.
In other words: use this program at your own risk.

Ways to restart Windows Explorer:
1) Task Manager: kill the explorer.exe process and start a New Task explorer.exe
2) logoff / logon
3) reboot

Download:

UserAssist_V2_6_0.zip (https)
MD5: 04107FE15FC676B7A701760C9C6D2F81
SHA256: F6F73F4E00905A7727ED4136DE875DD1FBCF4B90FFEE4B93D4A46E58C0314D45

185 Comments »

  1. [...] I’ve published a BartPE plugin for my UserAssist utility, you can download it here (https, MD5 D43E519B7BCE90F31EB54884E7AA75C1). And I’m posting another movie. Windows Live CDs are a popular troubleshooting and forensic investigation tool, they allow you to boot a (Windows) PC from a CD. Bart Lagerweij developed BartPE, a tool to create a Windows Live CD (a Windows “pre-install” environment CD), and several people build their own tools based on his work. The Ultimate Boot CD for Windows is based on BartPE. [...]

    Pingback by A Windows Live CD plugin for my UserAssist utility « Didier Stevens — Monday 18 September 2006 @ 15:24

  2. Nice tool! Questions: I’m not at a programmer. To run the application, do I need only the Bin folder and its contents? Can I delete the Obj and Properties folders? One suggestion is that perhaps you can consider adding a search feature. Thanks!

    Jimmy Weg, CFCE
    Agent in Charge, Computer Crime Unit
    Montana Division of Criminal Investigation
    303 N. Roberts, Room 371
    Helena, MT 59620
    406.444.6681
    406.439.6185 (cell)
    jweg@mt.gov

    Comment by Jimmy Weg — Monday 30 October 2006 @ 22:02

  3. 1) you only need UserAssist.exe in folder UserAssist\bin\Release, and you can put it anywhere, e.g. on your desktop.
    2) yes, you can delete everything, except UserAssist.exe
    3) I’ll probably have a search function in a new version, but for now, you can use the Save function. It creates a CSV file. You can read it with Excel or notepad, and use their search function

    Comment by Didier Stevens — Monday 30 October 2006 @ 22:14

  4. [...] XP saves the full path and name of the program, last access and the number of total executions. UserAssist is a nice little tool that decrypts the information and displays them it its main window. You can [...]

    Pingback by Windows stores information about the programs that you use » gHacks tech news — Monday 22 January 2007 @ 12:50

  5. Great tool ! Thanks for sharing it with the community !

    Comment by Wag — Tuesday 23 January 2007 @ 11:03

  6. Very nice tool! Thanks for sharing. It’s nice to have a tool that automatically de-ROTs the values instead of having to run them through another script.

    Comment by Michael H — Wednesday 24 January 2007 @ 0:40

  7. [...] Filed under: My Software — Didier Stevens @ 11:30 My article about my UserAssist forensic tool has been published in the February 2007 issue of (IN)SECURE Magazine [...]

    Pingback by UserAssist article published in (IN)SECURE Magazine « Didier Stevens — Thursday 15 February 2007 @ 11:30

  8. Bad idea!
    This key and the meanings of its parameters was known by me from 2004, but I published my investigation only for restricted access (only for law enforcement agencies). I consider information about the UserAssist key very important for computer crimes’ criminalistic expertises. I can’t understand reasons for your publication. This key was a helpful tool for criminalists, and you broke it. Why? The key wasn’t dangerous for ordinary users. Now, any computer criminal can read your article, use your utility and hide own unlawful engagement. You are an IT Security Consultant! Are you really think your article is so nessessary? I am very disappointed by your publication.

    PS.Some years ago Mr. Khizhniak, my compatriot :(((, wrote the book about creating of computer viruses (Part I) and antiviruses (Part II). As result a lot of “Khizhniak-based” viruses was created by so-called “hackers” which indeed couldn’t develop any simplest virus singly without the book. None of antiviruses was created. Do you like similar results? After publishing your article will help only computer criminals and create problems for specialists.

    Yours sincerely,
    Ponomaryoff Maxim E.,
    Information Security Consultant. Yekaterinburg. Russia.

    Comment by Ponomaryoff Maxim E. — Friday 16 March 2007 @ 10:34

  9. > I consider information about the UserAssist key very important for computer crimes’ criminalistic expertises.
    It is, and that’s why I published it. Read the comment by Jimmy Weg, Agent in Charge, Computer Crime Unit, Montana Division of Criminal Investigation. He did not know about this technique prior to using my program.

    The information is on the web since October 2003 at least, read here: http://www.personal-computer-tutor.com/abc3/v29/vic29.htm

    Associating me with virus writes is a blow below the belt, it’s like a tactic used by corrupt politicians & consorts.

    Comment by Didier Stevens — Sunday 18 March 2007 @ 14:17

  10. Excuse me, if my words offended you. I present you my open-hearted apologies. I didn’t assosiate you with virus writes, moreover I was sure you was leaded by good wishes, but ones could bring to bad results (my example was written only for this aim). I’d read the comment by Jimmy Weg, and I’m glad for him. But soon criminals will clear the UserAssist key with your fine (indeed) utility. What will Mr. Weg do in this case?

    As before I consider this information had to be published only for restricted access (only for Mr. Weg and his colleagues).
    I don’t pretend to any priority. I descovered the UserAssist key singly, and didn’t know about other publications. Thanks for the link, and sorry for my English.

    Yours sincerely,
    Ponomaryoff Maxim E.

    Comment by Ponomaryoff Maxim E. — Monday 19 March 2007 @ 10:49

  11. > I present you my open-hearted apologies.
    Apologies accepted! As a non-native English speaker, I also know how sometimes your words can be misunderstood.

    I wonder how you bring evidence, based on the UserAssist keys, into court? If you keep the technique secret, has the defense no right to examine your evidence? Does the judge accept the data?

    Comment by Didier Stevens — Monday 19 March 2007 @ 17:31

  12. [...] Read more… Tags: binary data, didier, encrypted, ive, registry keys, rot13, Spyware, stead, timestamp, treeview, utility windows, windows explorer Posted on Tuesday, March 27th, 2007 at 6:08 pm and under category News. You can read any responses through the RSS 2.0 feed. You can give a response, or trackback from your site. « IE lets attackers hijack network traffic Tools – Fuzzled – a Perl Based Fuzzer » [...]

    Pingback by Internet Security and Programming » Blog Archive » Didier Stevens - UserAssist utility — Tuesday 27 March 2007 @ 11:09

  13. On XP SP2 I keep getting “The application failed to initialize properly (0xc0000135).” What am I missing?

    Thanks!

    Comment by Hank — Thursday 5 April 2007 @ 5:29

  14. Dear Didier Stevens!
    I imagine the answer to your question approximately as follow…
    Our national justice has some differences from European or American one.
    So when a government investigator needs in special knowledges, he can appoint an expertise (ballistic, graphologic, computer, etc.) He forms a list of questions to the expert. The expert gives a precise answers as far as possible, and writes the expert’s report. After when the prosecution presents the expert’s conclusion to the court, all employed techniques must be described and be based on some official documents or be validated by an experiments. In our case because Microsoft hasn’t still published the official information about the UserAssist key, I’ll have to describe my experiments to prove truth of my resumes. But the expert’s conclusion also can be used in non-judicial practice (by special officers or special agents. Mostly I cooperate with them but I’m not able to find more correct english term to name them.) In that case I am allowed to describe nothing from my techniques.
    PS. I have a small remark to your utility. You use the last time the program was ran in local time mode, and warn about possible differences. I added to your code a new column (Last UTC) because the FILETIME structure kept time exactly in this mode (as you know). When an expert examines a REG-file from another computer, this modification can be very helpful.

    PPS. On my XP SP2 your utility works correctly. My version too =)

    Yours sincerely,
    Ponomaryoff Maxim E.

    Comment by Ponomaryoff Maxim E. — Friday 27 April 2007 @ 5:51

  15. Thanks for your answer Maxim. Excellent idea to add an UTC column, thanks for the suggestion!

    Comment by Didier Stevens — Tuesday 1 May 2007 @ 18:34

  16. Great tool! One question… I am curious about the “Counter” field indicating how many times a resource was run. How did you determine that the 4 bytes you use for this are counts? I have been forever looking for a resource that documents this part of the UserAssist keys…

    Thanks JS

    Comment by JS — Friday 1 June 2007 @ 18:24

  17. It’s explained in an older post: http://didierstevens.wordpress.com/2006/07/24/rot13-is-used-in-windows-you%e2%80%99re-joking/
    And also in my article in (IN)SECURE Magazine issue 10: http://www.net-security.org/dl/insecure/INSECURE-Mag-10.pdf

    Comment by Didier Stevens — Wednesday 6 June 2007 @ 16:51

  18. [...] @ 6:29 I was a speaker at the local ISSA chapter last Monday. My talk explained how to use my UserAssist tool for forensic analysis. The audience had great questions for me at the Q&A, some of which I want [...]

    Pingback by UserAssist Q&A « Didier Stevens — Wednesday 20 June 2007 @ 6:29

  19. Good application. Just wondering if there would be a simple way to save the report in html, and as Jimmy said, a search feature would be great. Thanks

    Chad

    Comment by Chad Gish — Thursday 28 June 2007 @ 22:56

  20. Can you suggest a tool to convert NTUSER.DAT files from a user profile to .REG files so that they can be viewed using your tool?

    I have tried Registry File Viewer which will export to REGEDIT4 format, but your UserAssist utility says that the file doesn’t contain UserAssist data.

    Comment by Sean McLinden — Thursday 5 July 2007 @ 19:23

  21. You can use Regedit. I show it in the movie of this post: http://didierstevens.wordpress.com/2006/09/18/a-windows-live-cd-plugin-for-my-userassist-utility/

    And I also explain it in my (IN)SECURE Magazine Issue 10 article (page 72): http://www.net-security.org/dl/insecure/INSECURE-Mag-10.pdf

    Comment by Didier Stevens — Thursday 5 July 2007 @ 19:37

  22. @Chad

    I’m preparing a new version, HTML export can be included, but I don’t know if I want to spend the time programming search. Actually, it’s not the Find function that is complex, but the Find Next function.

    Comment by Didier Stevens — Thursday 5 July 2007 @ 19:46

  23. I was hoping to avoid using something like UBCD4WIN just because I’ll have to make another restore from Encase. But if that is the only way, I guess I’ll do it that way.

    Importing into a live Windows using Regedit overwrites the existing settings. Bad thing to do with an investigator laptop.

    Thanks.

    Comment by Sean McLinden — Thursday 5 July 2007 @ 20:16

  24. You don’t need a live CD, read my article, you can work with a copy of
    NTUSER.DAT and load the hive. This does not overwrite your settings.

    Comment by Didier Stevens — Thursday 5 July 2007 @ 20:23

  25. Thanks, that did it.

    Comment by Sean McLinden — Thursday 5 July 2007 @ 20:49

  26. Is there a commandline version that can be run and dump the output to a txt or cvs or html report?

    Comment by Brian — Monday 16 July 2007 @ 16:40

  27. [...] Engineering, My Software — Didier Stevens @ 6:05 I’m releasing version 2.3.0 of my UserAssist tool with these new [...]

    Pingback by UserAssist V2.3.0 « Didier Stevens — Tuesday 17 July 2007 @ 6:05

  28. [...] Stevens has released the latest iteration of his incredibly handy tool UserAssist. This tool, in a nutshell, displays a table of all of the programs executed on a windows machine. [...]

    Pingback by Liquidmatrix Security Digest » Stevens Releases UserAssist V2.3 — Tuesday 17 July 2007 @ 12:14

  29. @Brian

    I’ll see if I can add command-line support.

    Comment by Didier Stevens — Tuesday 17 July 2007 @ 13:15

  30. [...] My Software — Didier Stevens @ 8:11 My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent But I’m not French, I’m [...]

    Pingback by CyberSpeak interview « Didier Stevens — Monday 23 July 2007 @ 8:12

  31. Didier,

    Great tool … thanks.

    Is it possible to get an explanation of the keys that are referenced in the output. I think that the list of possible keys that occur are:

    UEME_RUNPIDL:
    UEME_RUNPATH:
    UEME_CTLSESSION
    UEME_CTLCUACount:
    UEME_UISCUT:
    UEME_UIQCUT:
    UEME_UIHOTKEY:
    UEME_RUNWMCMD:
    UEME_RUNCPL:
    UEME_UITOOLBAR:

    I am attempting to use the data from a suspect’s imaged hard drive to show that the majority of his time on the computer was spent playing games and on the net. The data shows that there is many uses of Freecell and Hearts but there are even more occurrences of UEME_UIQCUT, UEME_RUNPATH, and UEME_RUNPIDL. What are these keys?

    Comment by Mark Hallman — Friday 24 August 2007 @ 19:44

  32. Be aware that the UserAssist entries only list how often a program has
    been started by a user and when it what last started. So it’s not the
    tool to assess how *long* programs were running.

    UEME_UIQCUT

    Applications launched from the quick launchbar are logged under the
    entry UEME_UIQCUT. There is no separate entry with the name or path of
    the launched application. I think the logic behind this is the
    following: the UserAssist entries are maintained by Windows Explorer
    to display the most frequently run applications on the start menu.
    Applications launched from the quick launchbar have already their
    “special” place on the GUI Windows, so there’s no need to keep stats
    about their usage.

    UEME_RUNPATH

    This is logged each time a program is started, look at the path to see
    which program. When a program is started by double-clicking it in
    Windows Explorer or by typing its name in the Run command, RUNPATH
    entries are created/updated but no UEME_RUNPATH entries are.

    A PIDL is a Pointer to an ID List. Every item in Explorer’s namespace,
    whether it’s a file, directory, Control Panel applet, or an object
    exposed by an extension, can be uniquely specified by its PIDL. If the
    UEME_RUNPIDL values starts with %csidl2%, then it refers to the start
    menu. Notice that most UEME_RUNPIDL values are names of folders in the
    start menu of shortcuts in the start menu (.lnk)

    If you’re a programmer, an PIDL is Pointer to IDL, and IDL is short
    for ITEMIDLIST (http://msdn2.microsoft.com/en-us/library/ms538107.aspx).
    Remember that we’re talking about Windows Explorer here, aka the
    shell, and a PIDL and ITEMIDLIST are shell structures used by
    programmers.

    You can find more information here:

    http://sistersincrime.toronto.on.ca/internetspysoftware.php

    Comment by Didier Stevens — Saturday 25 August 2007 @ 10:05

  33. [...] a key named Settings and under this new key create a DWORD value named NoLog with value 1. My UserAssist tool has a menu toggle (Logging disabled) to do this [...]

    Pingback by Disabling UserAssist Logging for Windows Vista « Didier Stevens — Saturday 8 September 2007 @ 20:14

  34. [...] programmino, che richiede il .NET Framework è scaricabile qui con i sorgenti. E’ anche disponibile un plugin per BartPE [...]

    Pingback by UserAssist: what is this? « Fare, disfare e rifare — Thursday 20 September 2007 @ 7:13

  35. This functionality is available from within Access Data’s program for reading the registry.

    Comment by Anonymous — Thursday 11 October 2007 @ 20:40

  36. And it’s also free and open source?

    Comment by Didier Stevens — Thursday 11 October 2007 @ 21:07

  37. [...] Forensics, My Software — Didier Stevens @ 6:36 The most important feature of this new UserAssist version is the explain command. Now you can right-click an entry, select explain and get a nice explanation [...]

    Pingback by UserAssist V2.4.1 « Didier Stevens — Tuesday 16 October 2007 @ 6:36

  38. Great tool. Is there a way to connect to a remote registry?

    Comment by John — Tuesday 30 October 2007 @ 13:07

  39. I didn’t program that feature, but I’ll add it to my todo list.

    However, you can connect to the registry of a remote machine with regedit. Export the UserAssist keys and load the exported file in my tool.

    Harlan Carvey has scripts that work remotely, but I don’t believe his scripts for the UserAssist keys work remotely. They operate on the hive file. His tools are included with his book http://www.syngress.com/catalog/?pid=4230.

    Comment by Didier Stevens — Wednesday 31 October 2007 @ 19:46

  40. [...] UserAssist – Una herramienta relativamente poco conocida de Didier Stevens que nos saca una lista de los programas que se han ejecutado, cuándo, y cuántas veces. [...]

    Pingback by alfredo reino » Archivo del Blog » Herramientas útiles — Friday 16 November 2007 @ 10:46

  41. [...] under: Forensics, My Software, Update — Didier Stevens @ 9:29 Just a small change in this new version: now you can disable the automatic loading of the local registry data when the UserAssist tool is [...]

    Pingback by Update: UserAssist V2.4.2 « Didier Stevens — Monday 26 November 2007 @ 9:29

  42. [...] like the UserAssist entries for Windows Server 2008 have the same format as for Windows Vista, my UserAssist tool can also extract the data from Windows Server [...]

    Pingback by Quickpost: Windows Server 2008 UserAssist Keys « Didier Stevens — Friday 11 January 2008 @ 18:37

  43. [...] From now on, I’ll update it each time I release a new version of my UserAssist utility. [...]

    Pingback by Update: A Windows Live CD plugin for my UserAssist utility « Didier Stevens — Monday 28 January 2008 @ 8:17

  44. Hi Didier,

    Can you please explain why I would receive a counter of zero? All my results for PIDL %csid16% came back with a counter of zero.

    Great tool by the way!

    Thanks in advance,

    Jenny

    Comment by Jenny — Thursday 7 February 2008 @ 21:15

  45. A counter equal to 0 indicates that the user right-clicked on the item in the start-menu and selected the command to remove the item from the list.

    Comment by Didier Stevens — Thursday 7 February 2008 @ 21:34

  46. [...] many values include FILETIME objects embedded within their binary data. For example, beneath the UserAssist keys, many of the values found within the Count subkey have 16 bytes of binary data associated with [...]

    Pingback by Log Analysis Professionals » Blog Archive » The Windows Registry as a Log File — Tuesday 8 April 2008 @ 11:33

  47. Didier. Thanks for the great tools. On UserAssist, (I am not a computer pro – just a power user), the output is generally a history report…yes? Therfore, all entries accessible by a right click can be safely deleted (clear tracks)…yes? Then, recycle bin shredding and overwrite will remove final traces, correct? Thx!

    Comment by Bruce Ades — Wednesday 14 May 2008 @ 11:18

  48. The UserAssist keys contain historical data.
    When you use my UserAssist tool to delete entries, it will actually delete registry keys. Deleted registry keys are not moved to the recycle bin, so there is no need to empty the recycle been.

    However, I suspect that deleted registry entries are still present in the registry hive files (like NTUSER.DAT), until their space is reused. Registry compacting should take care of this.

    Comment by Didier Stevens — Friday 16 May 2008 @ 16:28

  49. Hi,

    program looks great but does not run on Windows 2000. It starts without opening a window and keeps the cpu goin’ on 100%. When opening using a shortcut and setting the window maximized it opens but does not show data or menu text. Also 100% cpu until I terminate the program.
    Dot.Net2 SP1 installed. Hope you can tweak the program to let it run on W2K.
    In the registry the keys look the same as described everywhere on the ‘net.

    Comment by Hans — Saturday 31 May 2008 @ 22:34

  50. I’ve used it in the past on W2K, it works. I believe that you’ve so much entries in the UserAssist keys, that it takes a long time for my utility to analyze them all and display the result. Let the program run for some time and see what happens.

    Comment by Didier Stevens — Sunday 1 June 2008 @ 9:15

  51. Thanks very much for sharing your powerful and handy tool.

    Question 1:
    What causes the counter to have a negative value?

    Question 2:
    What causes the counter to have “Removed from list” instead of a number?

    I’ve been using this tool for some time, but today I have encountered above
    cases for the first time.

    Comment by Nobuyuki Hirato — Monday 4 August 2008 @ 9:01

  52. In fact, the counters are stored inside the binary registry data with an offset of 5. So if a program has been executed exactly once, the counter stored inside the binary registry data is equal to 6, and my UserAssist utility will subtract 5 and display 1. I believe that this +5 offset is a classic programming trick used by the MS programmers to be able to store special values in the same binary format.
    One special value I’ve identified is 0: this indicates that the program is never to appear in the start menu in the most executed programs list. A user can decide to remove a program from the start menu list by right-clicking the entry and selecting “Remove from this list in de context menu. Internally, this action assigns a value of 0 to the counter. I’ve programmed UserAssist to display “Removed from list” in the counter column.
    Negative values in the counter column are special values that I’ve not yet identified. I’ve had reports of installation programs creating userassist registry entries with values 1 or 2, but I don’t know what this implies.

    Can you share which programs you’ve found with ‘negative counter values’?

    Comment by Didier Stevens — Monday 4 August 2008 @ 17:11

  53. Thanks for quick reply.

    > Can you share which programs you’ve found with ‘negative
    > counter values’?

    Yes.
    This time I’ve encountered two .url files under UEME_RUNPIDL:%csidl6%\, both indicated with values of -3.

    > Internally, this action assigns a value of 0 to the
    > counter. I’ve programmed UserAssist to display “Removed
    > from list” in the counter column.

    Does it mean all 0’s in the counter column should be
    replaced with “Removed from list”?
    I see a lot of entries with counter 0, apart from ones with “Removed from list”. Again, predominantly UEME_RUNPIDL:%csidl6%\??????.url ones.

    Comment by Nobuyuki Hirato — Tuesday 5 August 2008 @ 3:56

  54. No, a 0 counter in the Counter column of the UserAssist utility means again that this is a special value, but its meaning is unknown.

    csidl6 is the special directory with the user’s favorites.

    Is the last timestamp empty?

    Comment by Didier Stevens — Tuesday 5 August 2008 @ 18:35

  55. No, both of the two entries having -3 in Counter do have
    Last timestamps.
    As for the ones having 0 in Counter, Last timestamps are
    all empty.

    Comment by Nobuyuki Hirato — Wednesday 6 August 2008 @ 2:53

  56. That’s normal. I did some testing with favorites, but couldn’t reproduce the -3 counter.

    If you find more info, please let me know.

    Comment by Didier Stevens — Thursday 7 August 2008 @ 16:18

  57. OK. I’ll inform you when I find out something further.
    Thank you.

    Comment by Nobuyuki Hirato — Friday 8 August 2008 @ 11:13

  58. Thank you for your tool – I am looking for an explanation for “session” Is this an incremental # for every logon/boot. Am I correct that this session number only identifies the last session an application was accessed and need to use restore points to obtain if the application was used on a specific day – Thank you! – Paul

    Comment by Paul Smith — Thursday 23 October 2008 @ 12:42

  59. I have no definite explanation for the session value.
    I’ve not observed an increase of this value for every logon, but I’ve observed increments with 1 about every 24 hours, when the machine was on. Not exactly 24 hours, but a bit longer, and the variance looked random.

    Comment by Didier Stevens — Thursday 23 October 2008 @ 17:55

  60. I went to the old listing for your app (http://blog.didierstevens.com) and that led me to “gotdotnet” that no longer exists. Glad I found your new location. I’ve been using NirSoft’s UserAssistView (v1.00) since January09.

    Comment by Ronin Vladiamhe — Tuesday 9 June 2009 @ 21:57

  61. Hi Didier
    First of all I must tell you that your tool is really great!!! Has been really helpful to me, and I’d need your help with something that has been a really big problem to me.
    I need to get all the possible information related to the Quick Launch items, and the applications that have been raised using the Quick Launchbar. In a previous post you said something like this:

    Be aware that the UserAssist entries only list how often a program has
    been started by a user and when it what last started. So it’s not the
    tool to assess how *long* programs were running.

    UEME_UIQCUT

    Applications launched from the quick launchbar are logged under the
    entry UEME_UIQCUT. There is no separate entry with the name or path of
    the launched application. I think the logic behind this is the
    following: the UserAssist entries are maintained by Windows Explorer
    to display the most frequently run applications on the start menu.
    Applications launched from the quick launchbar have already their
    “special” place on the GUI Windows, so there’s no need to keep stats
    about their usage.

    Would be really great if you could tell me where is this “special” place, that would solve my problem once and for all.
    Sorry my english, and hoping that you can help me soon. I’ll be really thankful for your help,
    Yosmel.

    Comment by Yosmel — Thursday 2 July 2009 @ 18:31

  62. @Yosmel

    I fear you misunderstood me. With “special place on the GUI Windows”, I mean that the Quick Launch items have their fixed place (to the right of the Start button).

    Like I wrote: “so there’s no need to keep stats about their usage.” The UserAssist data doesn’t contain info on Quick Launch items

    Comment by Didier Stevens — Friday 3 July 2009 @ 15:33

  63. Hi Didier
    First of all thanks a lot for your reply.
    I just tought that maybe you know where this information was stored on registry.
    As you said, “Applications launched from the quick launchbar are logged under the entry UEME_UIQCUT”, and I see that this counter is increased each time you click a quick launch item, so I believe that this information is stored in some place in registry maybe. I’d need to figure out how many times a quick launch item has been clicked, when was the latest time, etc…
    But anyway, once again thanks a lot for you reply, and was a pleasure to contact to you. You’re a great coder :) .
    My best regards,
    Yosmel.

    Comment by Yosmel — Friday 3 July 2009 @ 17:31

  64. Maybe you’ll the data, but personally, I believe it doesn’t exist. I’m 100% sure it isn’t logged under the UserAssist registry key.

    Comment by Didier Stevens — Friday 3 July 2009 @ 18:11

  65. Hi Didier
    Well, I’ll keep trying then. When I saw that the UserAssist registry keep updates the counter for the number of programs that have been launched using quick launch items, I tought that maybe this information was stored in some other registry key. But anyway, thanks a lot for reply.
    My best regards,
    Yosmel.

    Comment by Yosmel — Friday 3 July 2009 @ 18:23

  66. >>> Well, I’ll keep trying then. When I saw that the UserAssist registry keep updates the counter for the number of programs that have been launched using quick launch items, I tought that maybe this information was stored in some other registry key. <<<

    Have you tried looking at the Prefetch files? They too keep a counter of how many times an executable has been run.

    Comment by Phillip Rodokanakis — Monday 20 July 2009 @ 20:26

  67. Didier or others…

    How accurate is the counter? We found a counter for specific piracy software which is telling us the program was started 3950 times. Is the number to be trusted? Or has Windows some hidden/unkown features that can change/increase the number for some reason?

    Kind regards from The Netherlands,

    Hans Heins

    Comment by Hans Heins — Tuesday 4 August 2009 @ 12:41

  68. @Hans

    No, I don’t know about Windows hidden/unkown features that can increase the number.
    In theory, a program could manipulate his counter (increase it) to appear on the most-used list in the start menu. But I’ve never seen this done in real live.

    Comment by Didier Stevens — Tuesday 4 August 2009 @ 15:32

  69. Hello Didier,

    The time displayed in the column “last” is in UTC if I am right. (UserAssist version 2.4.2.0)
    I think it would be very useful if you can change the column name in to something like “Last used – UTC”

    I(and I think many other investigators) deal with a lot of different tools and also with many different timezones due to our International investigations.

    If a tool does not clearly mention which timezone is displayed, we have to figure this out each time we use a nice tool, like UserAssist, to do the job.

    Thank you in advance,

    Kind regards from the Netherlands

    Hans Heins

    Comment by Hans — Friday 7 August 2009 @ 8:32

  70. Hi Hans,

    As we discussed via e-mail, I agree that this is confusing. I’ve added an extra UTC column: http://blog.didierstevens.com/2009/08/11/update-userassist-tool-version-2-4-3/

    Comment by Didier Stevens — Tuesday 11 August 2009 @ 16:10

  71. [...] My Software, Update — Didier Stevens @ 16:07 I had an interesting discussion with Hans Heins concerning the timestamp displayed by my UserAssist [...]

    Pingback by Update: UserAssist Tool Version 2.4.3 « Didier Stevens — Tuesday 11 August 2009 @ 16:16

  72. Hi Didier,

    Quick question for you please…

    If I have only been given one line of data from a dump of UEME_RUNPATH value, how can I use UserAssist to find the correct values? Should the data be saved in a particular format so I can load it into the tool and then run it?

    Thanks,

    Kate

    Comment by Kate — Thursday 1 October 2009 @ 19:29

  73. @Kate

    I don’t suppose you know how to program in C#, otherwise you just use the UserAssistKey class and call the method to decode?

    You can try this:
    Create a new user on Windows XP (if your sample is from an XP system). Export the UserAssist registry keys with regedit as a text file.
    Edit the reg file with a text editor and replace the UEME_RUNPATH value with your value.
    Import the reg file with my tool.

    Comment by Didier Stevens — Thursday 1 October 2009 @ 19:42

  74. Hi Didier,

    Thank you for the wonderful tool.
    Just one problem I found is that the UserAssist 2.4.3 cannot work on Win 7.
    May I know what’s the matter?

    Thanks

    Comment by Terry — Monday 28 December 2009 @ 3:11

  75. Because the binary data format of the UserAssist values in Windows 7 and Windows 2008 R2 is new and different.
    But I’ve a working version: http://blog.didierstevens.com/2009/10/21/a-windows-7-launch-party-trick/
    And I’ve written an article on this for the new Into The Boxes forensic magazine to appear January 1st.

    Comment by Didier Stevens — Tuesday 29 December 2009 @ 20:17

  76. Love the program. I am curious about something. I’m trying to create a little custom tool utilizing this great tool and was wondering if there was a switch or something I could imput into a batch file or command line with the executable that would tell it which file to open.

    i.e. if I wanted something like this
    c:\utilities\userassist.exe \\server1\Profiles\tse\%E%\ntuser.dat

    using %E% as my variable (which scripting will input the correct variable info – so just need userassist.exe to open the file)

    Thanks again for a great tool

    Comment by BR — Tuesday 26 January 2010 @ 18:19

  77. @BR

    You can do this with Harlan’s RegRipper: http://www.regripper.net/
    That’s why I don’t add this functionality to my tool, I share my research on the UserAssist keys with Harlan and he integrates it in his tool.

    Comment by Didier Stevens — Wednesday 27 January 2010 @ 9:50

  78. “Ponomaryoff Maxim”‘s comments are ridiculous.

    1. These keys were known before you posted about them.

    2. If law enforcement relied on those techniques in ANY criminal investigation, they would be public. Disclosure, and all that. Furthermore, police are not “special”, and able to “own” information. Her comments are ridiculous in this respect. If she believes what she says, she is more well-advised to spend her time complaining about criminal investigation shows on television, as they “teach” criminals how to get away with murder and are seen by millions every night. Ridiculous.

    3. There are countless other reasons why people should know about what their computer does that has nothing to do with law enforcement. For example, my UserAssist had grown to pages and pages of information (mostly from me re-orgnizing my StartUp shortcute). I deleted the whole thing and that immediately cut my registry size by 15%.

    Comment by Samo — Sunday 21 February 2010 @ 19:51

  79. [...] in. For examinations involving user activity, I may be most interested in the contents of the UserAssistCount keys (log2timeline extracts this data, as well), but the really valuable information from [...]

    Pingback by Even More Thoughts on Timelines | Event Viewer — Tuesday 6 April 2010 @ 3:52

  80. I’m trying to find out how to associate a GUID found in the UserAssist Reg key to a program (Is GUID the right term here?). I know that IE has been run multiple times on a system as there is quite a bit of Internet History for the browser but I don’t see an entry for it in the UserAssist key. I do have a GUID that has has been run over 500 times but how to I associate the program that was run to that GUID? System is Vista.

    Entry= UEME_RUNPIDL:::{2559A1F4-21D7-11D4-BDAF-00C04F60B9F0}

    Is there a way to find this out?

    Comment by Dave — Friday 21 May 2010 @ 5:10

  81. @Dave, Yes, search for the GUID in the registry to find out to which programs it is linked.

    Comment by Didier Stevens — Friday 21 May 2010 @ 6:22

  82. Mr. Stevens,

    About a year ago, I mentioned my use of UserAssistView (NirSoft). Your app is quite similar. Two questions; (1) Have you ever looked and compared your app to NirSoft’s, (2) Is your app portable?

    Comment by RoninV — Wednesday 2 June 2010 @ 23:50

  83. My answer to (2) is YES, after reviewing a separate thread regarding this app.

    Comment by RoninV — Thursday 3 June 2010 @ 0:06

  84. @RoninV I seem to remember I looked at it some time ago…

    Comment by Didier Stevens — Thursday 3 June 2010 @ 14:29

  85. [...] Programs of Use http://blog.didierstevens.com/programs/userassist/ [...]

    Pingback by UserAssist | Forensic Artifacts — Wednesday 14 July 2010 @ 15:05

  86. Does the USERASSIST program determine if a user’s executable has been renamed to something innocuous like NotePad or Excel? If all that is being tracked is what programs are being run, how does UserAssist know that the program is the *REAL* program? I don’t see how the output from this could be used as evidence if the user could be hiding the execution of some program by appearing to be running some other program.

    Comment by Bill M. — Thursday 22 July 2010 @ 2:52

  87. @Bill M. No, the UserAssist registry keys record the name of the program, renaming a program is not recorded in these keys.
    You need other forensic evidence (for example the cache) to establish that notepad.exe is indeed notepad.exe and not another program.

    Comment by Didier Stevens — Thursday 22 July 2010 @ 19:13

  88. [...] publicó una nueva herramienta llamada UserAssist que nos permite visualizar una lista de los programas que fueron ejecutados en un sistema Windows, [...]

    Pingback by Descubriendo qué programas fueron ejecutados en Windows « WEB ANTRIX.TK — Sunday 15 August 2010 @ 6:46

  89. [...] ทีนี้ ในการสร้าง keyword ส่วนใหญ่แล้วเราจะกำหนดเป็นคำธรรมดาๆ ภาษามนุษย์ทั่วไป ทำให้ไม่มีทางค้นหาข้อมูลตรงส่วนที่ถูกเข้ารหัสนี้ได้ ดังนั้นวิธีการก็คือใช้โปรแกรมช่วย decode ข้อมูลใน registry ออกมา แล้วดูว่าเครื่องนั้นมีโปรแกรมอะไรที่เคยทำการติดตั้งลงไปบ้าง อ่านเพิ่มเติมได้ที่http://blog.didierstevens.com/programs/userassist/ [...]

    Pingback by เข้ารหัสข้อความง่ายๆ ด้วย Rot13 | Technology Crime Suppression Division (TCSD) — Thursday 2 September 2010 @ 17:11

  90. [...] Más información sobre UserAssist >> [...]

    Pingback by Herramienta: UserAssist | Informatica Forense – Pericias Informaticas — Thursday 9 September 2010 @ 3:38

  91. Hi.

    Would just start by saying that this is a great site that you have.. I have really gathered a lot of information regarding userassist values here. 1 question remains:

    Have you ever discovered what causes the -3 values in the counter? I have quite a few of thoose entries and can’t really stand in court and say that i dont really know what causes the negative values.
    I’ve written an EnScript (EnCase) to decrypt and display the values. But once again I do not know what causes the +2 counter values (Which in turn becomes -3 after substracting 5 in XP)

    I COULD just ignore them, but it really bugs me not knowing what they stand for.

    I can see that another visitor at this site has asked about the same question, but it remained unresolved…

    Comment by Rasmus Riis — Monday 27 September 2010 @ 8:11

  92. @Rasmus Riis This -3 value remains an open question. I’ve not been able to reproduce this, and for obvious reasons, people who reported this were not able to share their sample.

    Comment by Didier Stevens — Monday 27 September 2010 @ 8:58

  93. Ok… Obviously I cant send you the ntuser.dat that im working on, but if you like, i could e-mail you a sample og an ntuser.dat from my home computer? I know that -3 is in that as well..

    Comment by Rasmus Riis — Monday 27 September 2010 @ 9:08

  94. [...] UserAssist [...]

    Pingback by » Free Computer Forensic Tools — Saturday 6 November 2010 @ 3:46

  95. [...] UserAssist [...]

    Pingback by » Ferramentas Livres para Forense Computacional — Saturday 6 November 2010 @ 3:55

  96. [...] XP saves the full path and name of the program, last access and the number of total executions. UserAssist is a nice little tool that decrypts the information and displays them it its main window. You can [...]

    Pingback by Windows stores information about the programs that you use — Wednesday 1 December 2010 @ 21:07

  97. When trying to analyze the ntuser.dat file, UserAssist states “The file didn’t contain UserAssist data”. I noticed someone else had the same issue posted on this site, but when I tried to review the possible solutions…none of it really helped out.

    Can you please tell me what would cause this error and how to go about fixing it. Can programs that wipe ntuser.dat have an affect on it as well?

    Thanks

    Comment by OMBM — Tuesday 21 December 2010 @ 14:28

  98. @ombm try to load the hive with regedit, when thsis works, it will work with UserAssist

    Comment by Didier Stevens — Tuesday 21 December 2010 @ 15:40

  99. Good day, Didier! It’s me again =)
    I’ve spent some time to investigate a new version of the UserAssist key in Windows 7 and have read your article about a new format for the binary value data (Into The Boxes, Jan 2010, http://intotheboxes.files.wordpress.com/2010/04/intotheboxes_2010_q1.pdf). And now I wanna say about detected problems.

    1) You wrote: “From bytes 0 to 3, we find a 32-bit integer that is always zero…”
    I checked three randomly selected computers and found that it wasn’t so. I found 0x00000001, 0x0000000A and 0x00000004 values instead of zero. This values are constant for chosen computers. It’s amazing! What do you think about it? Why these values are so various? And what these values can mean? I guess it may be associated with the operating system version, but unfortunately I had too little time to refute or confirm this hypothesis.

    2) You wrote: “From bytes 8 to 11, we find another 32-bit counter. This counter is usually larger than the program-execution counter, and I believe it counts the number of times an application receives focus…”
    In my case, all these values were never larger than the program-execution counters. For example, when a ProgExec counter was equal 16, the appropriate “focus” counter could be equal 5.

    Yours sincerely, P.M.E.

    Comment by P.M.E. — Monday 27 December 2010 @ 11:22

  100. @P.M.E. Thanks for sharing your observations, I’ll need revisit this.

    Comment by Didier Stevens — Tuesday 28 December 2010 @ 11:21

  101. I try to For advanced users, there’s another key worth looking as as it’s an invite to any Trojan that bypasses your protection.

    You can find more info on this by Binging UserAssist

    Secure your PC with the following reg changes:

    Navigate to

    HKCU\Software\Microsoft\Windows\CurrentVersion\Exp lorer\UserAssist\

    Delete all the subkeys

    Add a new sub key called Settings

    Add a new Dword entry under Settings named NoEncrypt with a value of 1

    Add a new Dword entry under Settings named NoLog with a value of 1

    But it doesn’t work and all was recreated again.

    Hope you can help me solve this problem.

    Gilbert Parent
    Canada

    Comment by Guil Paré — Friday 21 January 2011 @ 22:31

  102. @Gilbert Disabling logging like you describe it works only till Windows XP. Starting with Windows Vista, you need to use other keys:

    http://blog.didierstevens.com/2007/09/08/disabling-userassist-logging-for-windows-vista/

    My UserAssist program allows you to enable/disabling logging correctly on the different versions of Windows.

    Comment by Didier Stevens — Friday 21 January 2011 @ 23:06

  103. First of all – thank you Didier for this nice write up. And here’re my 2 cents: those first 4 bytes of UEME_CTLSESSION’s value are last 4 bytes of FILETIME structure shifted to the left by 29 bits representing the session’s start timestamp. Something like this could get you that date back – DateTime.FromFileTimeUtc(Convert.ToInt64(first4BytesAsInt32)<<29).

    Comment by Vasily Kolobkov — Friday 15 April 2011 @ 23:10

  104. Sorry, made a mistake – initially filetime structure was shifted to the right. Thus we are shifting it to the left to restore the date.

    Comment by Vasily Kolobkov — Friday 15 April 2011 @ 23:18

  105. @Vasily Kolobkov Thanks for the info Vasily.

    Comment by Didier Stevens — Saturday 16 April 2011 @ 6:20

  106. Hi,
    I tried v2.4.3 on windows 7 64-bit; it showed nothing even after I clicked “Load from
    local registry”. I assume that’s the way to display what is supposed to be currently
    stored in the registry.
    Perhaps you have a later version that I missed?
    Perhaps the utility does not work on windows 7 64-bit?

    PS. I ran the utility with and without “as administrator”

    Comment by Dave — Monday 18 April 2011 @ 15:53

  107. @Dave This version doesn’t support Windows 7 (the format has changed). Take a look here for Windows 7:

    http://blog.didierstevens.com/2009/10/21/a-windows-7-launch-party-trick/

    Comment by Didier Stevens — Monday 18 April 2011 @ 17:44

  108. Hi,
    I have identified the registry created for my software in “Most often used programs”
    The entry is:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0-9888-006097DEACF9}\Count\HRZR_EHACNGU:P:\Cebtenz Svyrf\Cnvag.ARG\CnvagQbgArg.rkr

    I wanted to remove my program from the “Most Often Used Programs list, so I deleted the above mentioned registry entry but still it shows up in most often used programs, when I click on “Start”. How do I do this programmatically ?

    Comment by Himanshu — Wednesday 27 April 2011 @ 6:53

  109. @Himanshu You restarted explorer.exe?

    Comment by Didier Stevens — Wednesday 27 April 2011 @ 8:09

  110. [...] UserAssist [...]

    Pingback by Free computer forensic tools — Wednesday 25 May 2011 @ 11:37

  111. [...] What’s not quite as well known, though, is that Windows also maintains a longer and separate history of all the programs launched on your computer, including details like the number of times they’ve been run, and the last execution date and time. This information is stored in the Registry (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist), but it’s encrypted, so you’ll need something like the free UserAssist tool to find out more (for Windows 7 use this version –for Windows XP or Vista go here). [...]

    Pingback by UserAssist uncovers Windows activity logs - Fabtechguy.com — Monday 18 July 2011 @ 23:39

  112. [...] What’s not quite as well known, though, is that Windows also maintains a longer and separate history of all the programs launched on your computer, including details like the number of times they’ve been run, and the last execution date and time. This information is stored in the Registry (HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist), but it’s encrypted, so you’ll need something like the free UserAssist tool to find out more (for Windows 7 use this version –for Windows XP or Vista go here). [...]

    Pingback by UserAssist uncovers hidden Windows activity logs | Information Technology Leader — Wednesday 20 July 2011 @ 7:54

  113. All I got is blank window, no information at all :(

    Comment by Jari — Sunday 24 July 2011 @ 8:09

  114. @Jari I assume you’re trying this on Windows 7? Then you should read comment 108.

    Comment by Didier Stevens — Sunday 24 July 2011 @ 8:30

  115. Oh, yes I use Windows 7, my fault. Thank you!

    Comment by Jari — Sunday 24 July 2011 @ 8:52

  116. Do you have any command line switches? Thanks

    Comment by Jim — Sunday 24 July 2011 @ 14:21

  117. Well, it’s all very interesting if you’re a programmer….I’m an ORDINARY user. Can you explain, in English, the SIMPLE, 1,2,3 steps…go here,click, here, do this or that in order to use this program?
    Thanks,
    Babs

    Comment by Babs — Sunday 24 July 2011 @ 15:48

  118. @Jim No, and that’s by design, beause you should use Harlan Carvey’s RegRipper for command-line operations.

    Comment by Didier Stevens — Sunday 24 July 2011 @ 15:56

  119. @Babs No, this is a forensic tool, it is not designed for ORDINARY users. You should not use it.

    Comment by Didier Stevens — Sunday 24 July 2011 @ 15:57

  120. I have Win XP SP3. When I run UserAssist, I get zero entries in the table. Even after running several programs, there’s nothing in UserAssist. What am I missing?

    Comment by George Rezac — Monday 25 July 2011 @ 0:12

  121. @George Do you know how to use regedit?

    Comment by Didier Stevens — Monday 25 July 2011 @ 1:40

  122. Yes.

    Comment by George Rezac — Monday 25 July 2011 @ 12:10

  123. @George OK, then take a look at HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ExplorerUser\Assist
    You should find 2 keys ({5E6AB780-7743-11CF-A12B-00AA004AE837} and {75048700-EF1F-11D0-9888-006097DEACF9}), and under these keys you should find many more keys.
    Should these keys be missing, then it explains why you don’t see anything.

    Comment by Didier Stevens — Monday 25 July 2011 @ 12:55

  124. Each key has one subfolder: Count. There are no keys. OK, so that’s why your program isn’t showing anything, but WHY don’t I have any keys there? I sure haven’t deleted anything.

    Comment by George Rezac — Monday 25 July 2011 @ 13:02

  125. @George So there are no REG_BINARY entries under the count keys? Do you use a registry cleaner, or some other maintenance program? Some of them clean these keys.

    Comment by Didier Stevens — Monday 25 July 2011 @ 13:08

  126. Each Count folder has the same REG_BINARY entry: HRZR_PGYFRFFVBA with a value of all zeroes. In addition to the two keys, UserAssist has one more folder: Settings, with Default (value not set) and NoLog (value 1).
    Yes, I do use various registry cleaners, but I ran your program after opening several applications.

    Comment by George Rezac — Monday 25 July 2011 @ 13:17

  127. @George It must be the combination of registry cleaners and the NoLog value. When NoLog is equal to 1, no records are added to the registry keys. You can reset NoLog with my UserAssist program.

    Comment by Didier Stevens — Monday 25 July 2011 @ 13:35

  128. [...] UserAssist [...]

    Pingback by 포렌식 도구 모음 (Digital Forensics Tools) | FORENSIC-PROOF (Digital Forensics Community) — Thursday 1 September 2011 @ 4:09

  129. [...] UserAssist utility displays a table of programs executed on a Windows machine (It works best for XP but there is a non [...]

    Pingback by What Has Run On My PC? | Real Coding!! — Thursday 29 September 2011 @ 3:23

  130. [...] blog online. This registry key stores data that is ROT13 encrypted and there are a number of free tools out there to decrypt these values from the [...]

    Pingback by EnCase EnScript to search for keyword in ROT13 or XOR » Digital Evidence — Saturday 22 October 2011 @ 16:42

  131. [...] adındaki aracı indirip sadece çalıştırarak bu listeye ulaşmanız mümkündür. Aracın XP/Vista sürümünü bu adresten, Windows 7 sürümünü ise bu adresten [...]

    Pingback by Windows’un sizi izlemekte kullandığı 5 yol! | Haber – Mekanı — Tuesday 15 November 2011 @ 16:38

  132. [...] UserAssist database can help. Just install the free UserAssist program (see the comments for a link to a Windows 7-compatible version) to see the database, or disable [...]

    Pingback by Tutorial: More hidden Windows tips tricks and shortcuts — Sunday 20 November 2011 @ 7:01

  133. [...] from Nirsoft.net userassist from Didier Stevens Categories: Tech Tip Tags: nirsoft, tools, userassist Comments (0) [...]

    Pingback by Techish Blog » Microsoft Windows UserAssist — Wednesday 30 November 2011 @ 3:25

  134. [...] adındaki aracı indirip sadece çalıştırarak bu listeye ulaşmanız mümkündür. Aracın XP/Vista sürümünü bu adresten, Windows 7 sürümünü ise bu adresten [...]

    Pingback by Windows’un sizi izlemekte kullandığı 5 yol! | Teknocin — Friday 2 December 2011 @ 6:52

  135. [...] UserAssist [...]

    Pingback by 101 utilidades forenses | Blog de Seguridad Informática — Tuesday 6 December 2011 @ 8:25

  136. I found your program really useful. Is there going to be an update for windows 7? Thanks very much

    Comment by redesyseguridad — Thursday 8 December 2011 @ 6:21

  137. @redesyseguridad Yes, http://blog.didierstevens.com/2009/10/21/a-windows-7-launch-party-trick/

    Comment by Didier Stevens — Thursday 8 December 2011 @ 20:45

  138. [...] adındaki aracı indirip sadece çalıştırarak bu listeye ulaşmanız mümkündür. Aracın XP/Vista sürümünü bu adresten,Windows 7 sürümünü ise bu [...]

    Pingback by Windows sizi gözetliyor! | Chat, Sohbet,chat siteleri, chat odalari — Monday 12 December 2011 @ 19:32

  139. Great tool. I found your program is very useful. It seems working fine and I am able to see all the run count information on XP, Windows 7 and Windows 2008.
    However, registry values (run count, focus count and focus time) under UserAssist have seen an mysteriously reset somehow: the run count information came back to 0 and starting increment if a program runs again. And I don’t recall I have done anything to the registry key/value. This happens on Windows 2008 yesterday, which I thought was an accident and tried to forget it but this happen again on Windows 7 again. I am still watching to see if it happens again but I am not able to reproduce again.

    Has anyone seen similar behavior?

    Comment by JamesZ — Thursday 29 December 2011 @ 22:24

  140. I think I’ve seen this when you disable UserAssist in Windows.

    Comment by Didier Stevens — Friday 30 December 2011 @ 9:44

  141. Thanks for your quick response.
    I don’t recall I ever did that twice on different machines. Besides, if it is disabled, does the counter still increment ?

    Comment by JamesZ — Friday 30 December 2011 @ 15:43

  142. @JamesZ No, it would not.

    Comment by Didier Stevens — Saturday 31 December 2011 @ 13:15

  143. To follow up my earlier post, I still see the run count somehow got changed to lower value but I can’t figure out conditions.
    Another thing –
    When I run a program, for example, notepad from dos box, the utility does not pick up the run count.
    However, it does pick up when you either run from start menu or double click a .txt file.
    Is that right? If that’s the case, is there any way to track a program running from a dos box.

    Comment by JamesZ — Friday 6 January 2012 @ 17:42

  144. @JamesZ Yes, that’s normal behavior, UserAssist keys register interactive program launches via Explorer. Not the cmd box.

    Comment by Didier Stevens — Sunday 8 January 2012 @ 8:31

  145. It seems the information stays consistent across different users.

    From the registry key name, it appears that it should only tell the run count information of the “current user”. However, when I tried other users, local or domain. As far as on my systems, the usage information does not depends on the user. For example, if one user runs “notepad.exe” for 10 times, registry value reflects that as well as the tools, but with a new user, the registry entry value also shows 10 for “notepad.exe”, so does the tool.

    Can you confirm that? Is there a way to change the policy or profile to make the usage tracking information for per user?
    Thanks

    Comment by JamesZ — Wednesday 11 January 2012 @ 19:59

  146. @JamesZ I’ve no idea why your system is doing this. It shouldn’t. I’ve not seen that before, and you’re the first to report this to me.

    Comment by Didier Stevens — Wednesday 11 January 2012 @ 20:17

  147. After I tried with more fresh system. I do see usage varies from user to user.
    I think some my systems (vm) were created based on template and sysprep, which already have things and values preoccupied in the registry and I was not careful enough to check line by line but only some values on the top, which seem do not change from user to user. My apology and your quick response is highly appreciated.

    Comment by JamesZ — Wednesday 11 January 2012 @ 22:37

  148. [...] of data and have it converted. Alternatively, a very useful utility that can be run locally is UserAssist, which besides looking in HKCU can also read exported reg files and ntuser.dat. This would be more [...]

    Pingback by A Quick Glance At The UserAssist Key in Windows « Windows Explored — Monday 6 February 2012 @ 15:37

  149. Does Userassist check only the current user or can it check all users that use Windows? I would like to be able to track how often programs are used no matter who has logged in.

    Comment by Jason — Thursday 16 February 2012 @ 1:41

  150. @Jason Current user and exported registry from any user.

    Comment by Didier Stevens — Friday 17 February 2012 @ 7:34

  151. It’s a great program but I guess it only tracks software started through the Start Menu. We have several programs installed but are not tracked for some reason. They are started by clicking on desktop shortcuts and are not showing up in the software.

    Comment by Jason — Friday 17 February 2012 @ 16:33

  152. @Jason It is important to understand that my program does not track anything. It just decodes what Windows Explorer tracks.
    Desktop shortcuts are also tracked by Windows Explorer’s UserAssist technology. They show up as .lnk files.

    Comment by Didier Stevens — Friday 17 February 2012 @ 17:17

  153. Hi Didier- You did the community a great favor by publishing your findings and the UserAssist tool. One thing that appears to be difficult is making sense out of particular UEME_UITOOLBAR entries that have 130 and 120 associated with them. After spending an hour looking around via search engines , found only republished portions of Harlan Carvey’s book that touches on the subject of the UEME_UITOOLBAR, but really nothing deeper. I even resorted to and digging through MSDN but got deep into the weeds. Do you have a cheat sheet to the popular entries one would find associated with the user interactions with UITOOLBAR?
    tm

    Comment by TM — Wednesday 29 February 2012 @ 19:48

  154. @TM No, unfortunately I have no cheatsheet. I know MSDN will not help you, but maybe the header files of the Platform SDK have more info.

    Comment by Didier Stevens — Thursday 1 March 2012 @ 14:37

  155. FYI, on my Windows 7 Pro x64 machine, the subkeys under the UserAssist key have different values. The only way to get your program to read them was to export the UserAssist key and change the subkey values to the ones you have listed above. Perhaps you should change your program to read any subkeys listed uner UserAssist instead of reading only the listed keys.

    Comment by Louis — Friday 9 March 2012 @ 18:28

  156. @Louis Take a look at this: http://blog.didierstevens.com/2009/10/21/a-windows-7-launch-party-trick/

    Comment by Didier Stevens — Friday 9 March 2012 @ 21:28

  157. Thanks!

    Comment by Louis — Friday 9 March 2012 @ 21:39

  158. [...] adındaki aracı indirip sadece çalıştırarak bu listeye ulaşmanız mümkündür. Aracın XP/Vista sürümünü bu adresten, Windows 7 sürümünü ise bu adresten [...]

    Pingback by Windows bizi gözetliyor.. | Pcweb — Friday 23 March 2012 @ 17:20

  159. [...] RegRipper – includes rip, ripXP, and regslack MiTeC Registry File Viewer Didier Stevens’ UserAssist Pwdump7 or SAMInside – great way to get password hashes for [...]

    Pingback by Free Tools | Herouxapps (Home of Freeware) — Wednesday 18 April 2012 @ 23:38

  160. [...] UserAssist [...]

    Pingback by 101 Utilidades Forenses « Tecnologia al Dia — Tuesday 8 May 2012 @ 14:23

  161. Thanks Didier, Mr Stevens, for the info and great tool which I have just downloaded.
    I have my XP Pro setup to use the old Win 2k style start menu, so that those user assist entries inasmuch as the serve the purpose you discovered are utterly useless to me – why Windows still gathers the statistics is a mystery…

    Just a FYI, the Google Chrome browser tried to scare us into NOT downloading your zip under the curious pretense that : “this file is seldom downloaded. Are you sure you want to take risks, etc. blah blah…. ? “

    Comment by Oldtimer — Sunday 15 July 2012 @ 18:01

  162. @Oldtimer The data is not only used for the start menu, but also for the uninstall control panel.

    Comment by Didier Stevens — Monday 16 July 2012 @ 19:36

  163. I have tried your theory on the focus time, I’m not sure if I agree. I took the calc.exe from system32 and copied it to the c:\temp directory. I executed it from there. I did not get an error message, nor I got a running program. UserAssist did have an entry for the newly executed program that never showed up, but the focus time/counter was all zeroes. I tried to make a minor change to the executable to change its hash value and changed its name. Win7 would never execute the program from c:\temp, but UserAssist did counted all attempts. The focus time/counter was zero. I typed the name into the start menu with the path where I could see the executable name in my c:\temp directory and the focus time/counter still did not change. I have copied a program I wrote to c:\temp and launched it. It ran just fine and the focus counter showed values based on how long I’ve ran the program. Thus, it seems to me that your focus counter might be related to some sort of Windows File protection where files known to Windows can only run from certain folders and it should show if the program successfully executed or not. I hope, others can replicate this and find the answer.

    Comment by zoltandfw — Saturday 6 October 2012 @ 4:18

  164. @zoltandfw It’s important that we know with what Windows version and what type of account you did your test for us to try to reproduce.

    Comment by Didier Stevens — Saturday 6 October 2012 @ 4:35

  165. Looking forward to see what your conclusions will be.

    User is a member of “Home Users” and “Administrators” groups.

    OS Name: Microsoft Windows 7 Professional
    OS Version: 6.1.7600 N/A Build 7600
    OS Manufacturer: Microsoft Corporation
    OS Configuration: Standalone Workstation
    OS Build Type: Multiprocessor Free
    System Manufacturer: Dell Inc.
    System Model: Latitude D620
    System Type: X86-based PC
    Processor(s): 1 Processor(s) Installed.
    [01]: x86 Family 6 Model 14 Stepping 8 Genuine Intel 2000 Mhz
    BIOS Version: Dell Inc. A08, 4/3/2007

    Comment by zoltanszabodfw — Sunday 7 October 2012 @ 4:32

  166. @zoltanszabodfw I can’t reproduce your first step. When I copy calc.exe to the temp directory, I can run it from there. Something must be preventing execution on your machine.

    Comment by Didier Stevens — Wednesday 10 October 2012 @ 17:47

  167. If I run the following code, it loads the calc.exe from its original location and gets an exit code 0, but if I replace the path to c:\temp, then I get an exit code of 1. I could not find what exit code 1 signified. It might worth to try the focus time with executables that return different exit codes and see how the focus time is updated. I know if you can not recreate what I see, you can not verify my findings, but every time I try it, I get the same results. I’ll keep digging to see if I can find out why this happens. Thanks for looking into this and I hope there will be an answer one day. Anyway, I love your program and keep up the great work you do.

    Dim objShell,oExec

    Set objShell = wscript.createobject(“wscript.shell”)
    Set oExec = objShell.Exec(“calc.exe”)

    WScript.Echo oExec.Status
    WScript.Echo oExec.ProcessID
    WScript.Echo oExec.ExitCode

    Comment by zoltanszabodfw — Wednesday 24 October 2012 @ 2:22

  168. I can only assume this program does not work in Windows 7 64bit. I’ve never had it work, however a few years ago I had it work on a XP machine. This could be a great tool if it worked on current systems.

    Comment by Anonymous — Thursday 2 May 2013 @ 18:37

  169. @Anonymous Take a look here: http://blog.didierstevens.com/2012/07/19/userassist-windows-2000-thru-windows-8/

    Comment by Didier Stevens — Friday 3 May 2013 @ 8:53

  170. […] quick search on Google talks about UserAssist and of someone that developed a tool to see its data… looking at the source, it seems windows is storing information inside registry about every […]

    Pingback by Reversing data and the Scientist method | AO-Sec — Monday 20 May 2013 @ 0:48

  171. There are 72 bytes information, but display only 24 bytes. What about other bytes? What are they meaning?

    Comment by Logioniz — Wednesday 26 June 2013 @ 22:39

  172. Sorry, i post previous message for windows 7 and 8 and for version of programs 2.6.0

    Comment by Logioniz — Friday 28 June 2013 @ 7:20

  173. @Logioniz That’s not clear yet.

    Comment by Didier Stevens — Saturday 29 June 2013 @ 22:15

  174. Didier, doing a preliminary security audit, I just found out an application is accessing the UserAssist keys – should I worry, is this an issue? Are there legitimate reasons to do this or do you know of other applications accessing the keys?

    Do you happen to know “who” (which process, or the Windows kernel?) is supposed to read/write this key in normal operation?

    Thank you, kind regards
    Ben

    Comment by Ben — Sunday 28 July 2013 @ 20:02

  175. @Ben Normally the explorer.exe process uses these keys. Prior to Windows 7, the code for this was in browseui.dll. Don’t know in which DLL it is for Windows 7 & 8.
    Is this application writing to the keys, or just reading them?

    Comment by Didier Stevens — Sunday 28 July 2013 @ 21:32

  176. @Didier I have not established that by now (how would you do that most easily? – normal debugging and reversing is out of question as the executable is heavily armed… maybe the easiest way would be a VM and WinDbg to go for the kernel registry APIs) but I think only reading. I just noticed when going through Process Explorer.

    I wonder what might be a legitimate reason for such behavior… Why would you do that if your application did something totally different? What could be the intention behind this?

    Comment by Ben — Friday 2 August 2013 @ 15:12

  177. @Ben Use Process Monitor to log all activity from said application. Then use the tools menu to view registry activity of the application, and see to what keys it wrote.

    I’ve been contacted several times by developers with question on how to make their application appear high in the start menu.

    Comment by Didier Stevens — Friday 2 August 2013 @ 16:53

  178. @Didier great hint, thank you, sometimes you forget about the most obvious things. Maybe startmenu cheating is the reason.

    Comment by Ben — Friday 2 August 2013 @ 18:15

  179. @Ben Take a look at Aaron’s presentation at TechEd on Sysinternals tools http://channel9.msdn.com/Events/TechEd/NorthAmerica/2013/ATC-B313

    Comment by Didier Stevens — Friday 2 August 2013 @ 21:42

  180. […] UserAssist […]

    Pingback by Tools » Damul's Blog — Thursday 29 August 2013 @ 2:10

  181. Great program! Any chance you can make it process more than one file at a time, or point it at a directory containing numerous registry files. This would be really helpful when dealing with restore points and trying to make a master timeline.

    Comment by Anonymous — Friday 4 October 2013 @ 14:50

  182. @Anonymous Have you looked at RegRipper for this?

    Comment by Didier Stevens — Sunday 6 October 2013 @ 18:06

  183. Wow, what an unbelievable ad hominem attack by Ponomaryoff Maxim E. And then to back away and say he was not accusing you of being a virus author – ridiculous backtracking. i’m glad you stood your ground. There is nothing wrong with presenting this information, by any realistic and professional standard of practice.

    Comment by Anonymous — Monday 5 May 2014 @ 14:44

  184. […] UserAssist […]

    Pingback by Registry analysis | Area-6 - Security and Code Snippets ༼ຈل͜ຈ༽ — Saturday 27 September 2014 @ 20:10


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 234 other followers

%d bloggers like this: