The UserAssist utility displays a table of programs executed on a Windows machine, complete with running count and last execution date and time.
Windows Explorer maintains this information in the UserAssist registry entries. My program allows you to display and manipulate these entries.
I posted my program (source code and binaries) here. Download the ZIP file, you’ll have to extract UserAssist\UserAssist\bin\Release\UserAssist.exe to get my program. There is no setup, it’s just one executable. You’ll need the .NET Framework 2.0 runtime to run my program (download it only if you have a problem running my program, if you have an up-to-date version of Windows XP, the .NET 2.0 Framework will already be installed).
I also maintain a Windows Live CD plugin for my UserAssist utility.
Program features and operation is described in the About box:
The program UserAssist displays a list of the programs run by a user on Windows.
Windows Explorer displays frequently used programs on the left side of the standard XP Start menu.
The data about frequently used programs is kept in the registry under this key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
This program decrypts and displays the data found in the registry under the UserAssist key.
When started, the program retrieves the data for the current user and displays it.
The display is not refreshed automatically when Windows Explorer updates the registry entries.
To refresh the display, execute the 'Load from local registry' command.
Columns in the listview:
Key:
this value is {5E6AB780-7743-11CF-A12B-00AA004AE837} or {75048700-EF1F-11D0-9888-006097DEACF9}
those are the keys found under the UserAssist key, and are included in the list view to distinguish the entries.
Index:
a running counter, indicating the sequence of values in the registry
At first, the entries are listed in the sequence they appear in the registry. You can sort columns by clicking on the header.
To revert to the original sequence, sort the column Index and then the column Key
Name:
The name of the value registry entry. This references the program that was run. This key is ROT13 encrypted, the displayed name is decrypted.
There is a registry setting to prevent encryption of the log, but this program does not support this setting.
Unknown:
a 4 byte integer, meaning unknown. It appears to be present only for session entries (UEME_CTLSESSION).
Session:
This is the ID of the session (a 4 byte integer).
Counter:
This is the number of times the program was ran (a 4 byte integer).
Last:
This is the last time the program was ran (a 8 byte datetime).
Watch out for time zone differences when importing a REG file from a system with different regional settings.
Commands:
'Load from local registry'
Displays the data for the current user.
'Load from REG file'
Loads a REG file and imports the UserAssist key.
This command doesn't check the full path of the UserAssist key, thus allowing the analysis of NTUSER.DAT hives loaded and exported with another path.
Use this command if you cannot run the program on the machine you want to analyze.
Loading the data from a REG file disables editing commands.
'Load from DAT file'
Loads a registry hive file (a DAT file like NTUSER.DAT) and imports the UserAssist key.
The DAT file is temporarily loaded in the registry under the USERSLoadedHive key. Be sure to have the local admin rights to access the file and load it.
Use this command if you cannot run the program on the machine you want to analyze.
Loading the data from a DAT file disables editing commands.
'Highlight'
Allows you to type in a search string (a regular expression is accepted), each entry matching this string will be highlighted in red.
The highlighting stays active during reloads. Type an empty string to disable the highlighting.
'Save'
This saves the data as a CSV file or a HTML file (choose file type).
'Clear All'
This deletes the {5E6AB780-7743-11CF-A12B-00AA004AE837} and {75048700-EF1F-11D0-9888-006097DEACF9} keys.
All data is lost, and no new data is recorded until Windows Explorer is restarted.
This will impact the frequently run program list on your Start Menu, and maybe other things. I had no other side-effects on my test machines.
This command is disabled when a REG file is loaded.
'Logging Disabled'
Enabling the 'Logging Disabled' toggle allows you to permanently disable the logging of user activity in the UserAssist keys by creating a value
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistSettingsNoLog equal to 1.
Disabling the 'Logging Disabled' removes the NoLog value (apparently, setting it to 0 doesn't prevent logging).
This setting is only effective after Windows Explorer is restarted.
This command is disabled when a REG file is loaded.
Right-clicking an entry will display a menu:
'Clear' will delete the selected entries. The index field of the remaining entries is not changed, they only change after reloading the registry.
This command is disabled when a REG file is loaded.
'Explain' will analyse the contents of the name field and try to explain its meaning (based on empirical data).
This program has been tested on Windows XP SP1, SP2, Windows 2003 and Windows Vista.
Microsoft doesn't publish official documentation for UserAssist data. I've found info on the WWW (google for UserAssist) and I discovered the meaning of the binary data through trial-end-error testing. In other words: use this program at your own risk. Ways to restart Windows Explorer: 1) Task Manager: kill the explorer.exe process and start a New Task explorer.exe 2) logoff / logon 3) reboot
[...] I’ve published a BartPE plugin for my UserAssist utility, you can download it here (https, MD5 D43E519B7BCE90F31EB54884E7AA75C1). And I’m posting another movie. Windows Live CDs are a popular troubleshooting and forensic investigation tool, they allow you to boot a (Windows) PC from a CD. Bart Lagerweij developed BartPE, a tool to create a Windows Live CD (a Windows “pre-install” environment CD), and several people build their own tools based on his work. The Ultimate Boot CD for Windows is based on BartPE. [...]
Pingback by A Windows Live CD plugin for my UserAssist utility « Didier Stevens — Monday 18 September 2006 @ 15:24
Nice tool! Questions: I’m not at a programmer. To run the application, do I need only the Bin folder and its contents? Can I delete the Obj and Properties folders? One suggestion is that perhaps you can consider adding a search feature. Thanks!
Jimmy Weg, CFCE
Agent in Charge, Computer Crime Unit
Montana Division of Criminal Investigation
303 N. Roberts, Room 371
Helena, MT 59620
406.444.6681
406.439.6185 (cell)
jweg@mt.gov
Comment by Jimmy Weg — Monday 30 October 2006 @ 22:02
1) you only need UserAssist.exe in folder UserAssist\bin\Release, and you can put it anywhere, e.g. on your desktop.
2) yes, you can delete everything, except UserAssist.exe
3) I’ll probably have a search function in a new version, but for now, you can use the Save function. It creates a CSV file. You can read it with Excel or notepad, and use their search function
Comment by Didier Stevens — Monday 30 October 2006 @ 22:14
[...] XP saves the full path and name of the program, last access and the number of total executions. UserAssist is a nice little tool that decrypts the information and displays them it its main window. You can [...]
Pingback by Windows stores information about the programs that you use » gHacks tech news — Monday 22 January 2007 @ 12:50
Great tool ! Thanks for sharing it with the community !
Comment by Wag — Tuesday 23 January 2007 @ 11:03
Very nice tool! Thanks for sharing. It’s nice to have a tool that automatically de-ROTs the values instead of having to run them through another script.
Comment by Michael H — Wednesday 24 January 2007 @ 0:40
[...] Filed under: My Software — Didier Stevens @ 11:30 My article about my UserAssist forensic tool has been published in the February 2007 issue of (IN)SECURE Magazine [...]
Pingback by UserAssist article published in (IN)SECURE Magazine « Didier Stevens — Thursday 15 February 2007 @ 11:30
Bad idea!
This key and the meanings of its parameters was known by me from 2004, but I published my investigation only for restricted access (only for law enforcement agencies). I consider information about the UserAssist key very important for computer crimes’ criminalistic expertises. I can’t understand reasons for your publication. This key was a helpful tool for criminalists, and you broke it. Why? The key wasn’t dangerous for ordinary users. Now, any computer criminal can read your article, use your utility and hide own unlawful engagement. You are an IT Security Consultant! Are you really think your article is so nessessary? I am very disappointed by your publication.
PS.Some years ago Mr. Khizhniak, my compatriot :(((, wrote the book about creating of computer viruses (Part I) and antiviruses (Part II). As result a lot of “Khizhniak-based” viruses was created by so-called “hackers” which indeed couldn’t develop any simplest virus singly without the book. None of antiviruses was created. Do you like similar results? After publishing your article will help only computer criminals and create problems for specialists.
Yours sincerely,
Ponomaryoff Maxim E.,
Information Security Consultant. Yekaterinburg. Russia.
Comment by Ponomaryoff Maxim E. — Friday 16 March 2007 @ 10:34
> I consider information about the UserAssist key very important for computer crimes’ criminalistic expertises.
It is, and that’s why I published it. Read the comment by Jimmy Weg, Agent in Charge, Computer Crime Unit, Montana Division of Criminal Investigation. He did not know about this technique prior to using my program.
The information is on the web since October 2003 at least, read here: http://www.personal-computer-tutor.com/abc3/v29/vic29.htm
Associating me with virus writes is a blow below the belt, it’s like a tactic used by corrupt politicians & consorts.
Comment by Didier Stevens — Sunday 18 March 2007 @ 14:17
Excuse me, if my words offended you. I present you my open-hearted apologies. I didn’t assosiate you with virus writes, moreover I was sure you was leaded by good wishes, but ones could bring to bad results (my example was written only for this aim). I’d read the comment by Jimmy Weg, and I’m glad for him. But soon criminals will clear the UserAssist key with your fine (indeed) utility. What will Mr. Weg do in this case?
As before I consider this information had to be published only for restricted access (only for Mr. Weg and his colleagues).
I don’t pretend to any priority. I descovered the UserAssist key singly, and didn’t know about other publications. Thanks for the link, and sorry for my English.
Yours sincerely,
Ponomaryoff Maxim E.
Comment by Ponomaryoff Maxim E. — Monday 19 March 2007 @ 10:49
> I present you my open-hearted apologies.
Apologies accepted! As a non-native English speaker, I also know how sometimes your words can be misunderstood.
I wonder how you bring evidence, based on the UserAssist keys, into court? If you keep the technique secret, has the defense no right to examine your evidence? Does the judge accept the data?
Comment by Didier Stevens — Monday 19 March 2007 @ 17:31
[...] Read more… Tags: binary data, didier, encrypted, ive, registry keys, rot13, Spyware, stead, timestamp, treeview, utility windows, windows explorer Posted on Tuesday, March 27th, 2007 at 6:08 pm and under category News. You can read any responses through the RSS 2.0 feed. You can give a response, or trackback from your site. « IE lets attackers hijack network traffic Tools - Fuzzled - a Perl Based Fuzzer » [...]
Pingback by Internet Security and Programming » Blog Archive » Didier Stevens - UserAssist utility — Tuesday 27 March 2007 @ 11:09
On XP SP2 I keep getting “The application failed to initialize properly (0xc0000135).” What am I missing?
Thanks!
Comment by Hank — Thursday 5 April 2007 @ 5:29
Did you install the .NET framework?
http://www.microsoft.com/downloads/details.aspx?FamilyID=0856EACB-4362-4B0D-8EDD-AAB15C5E04F5&displaylang=en
Comment by Didier Stevens — Thursday 5 April 2007 @ 6:52
Dear Didier Stevens!
I imagine the answer to your question approximately as follow…
Our national justice has some differences from European or American one.
So when a government investigator needs in special knowledges, he can appoint an expertise (ballistic, graphologic, computer, etc.) He forms a list of questions to the expert. The expert gives a precise answers as far as possible, and writes the expert’s report. After when the prosecution presents the expert’s conclusion to the court, all employed techniques must be described and be based on some official documents or be validated by an experiments. In our case because Microsoft hasn’t still published the official information about the UserAssist key, I’ll have to describe my experiments to prove truth of my resumes. But the expert’s conclusion also can be used in non-judicial practice (by special officers or special agents. Mostly I cooperate with them but I’m not able to find more correct english term to name them.) In that case I am allowed to describe nothing from my techniques.
PS. I have a small remark to your utility. You use the last time the program was ran in local time mode, and warn about possible differences. I added to your code a new column (Last UTC) because the FILETIME structure kept time exactly in this mode (as you know). When an expert examines a REG-file from another computer, this modification can be very helpful.
PPS. On my XP SP2 your utility works correctly. My version too =)
Yours sincerely,
Ponomaryoff Maxim E.
Comment by Ponomaryoff Maxim E. — Friday 27 April 2007 @ 5:51
Thanks for your answer Maxim. Excellent idea to add an UTC column, thanks for the suggestion!
Comment by Didier Stevens — Tuesday 1 May 2007 @ 18:34
Great tool! One question… I am curious about the “Counter” field indicating how many times a resource was run. How did you determine that the 4 bytes you use for this are counts? I have been forever looking for a resource that documents this part of the UserAssist keys…
Thanks JS
Comment by JS — Friday 1 June 2007 @ 18:24
It’s explained in an older post: http://didierstevens.wordpress.com/2006/07/24/rot13-is-used-in-windows-you%e2%80%99re-joking/
And also in my article in (IN)SECURE Magazine issue 10: http://www.net-security.org/dl/insecure/INSECURE-Mag-10.pdf
Comment by Didier Stevens — Wednesday 6 June 2007 @ 16:51
[...] @ 6:29 I was a speaker at the local ISSA chapter last Monday. My talk explained how to use my UserAssist tool for forensic analysis. The audience had great questions for me at the Q&A, some of which I want [...]
Pingback by UserAssist Q&A « Didier Stevens — Wednesday 20 June 2007 @ 6:29
Good application. Just wondering if there would be a simple way to save the report in html, and as Jimmy said, a search feature would be great. Thanks
Chad
Comment by Chad Gish — Thursday 28 June 2007 @ 22:56
Can you suggest a tool to convert NTUSER.DAT files from a user profile to .REG files so that they can be viewed using your tool?
I have tried Registry File Viewer which will export to REGEDIT4 format, but your UserAssist utility says that the file doesn’t contain UserAssist data.
Comment by Sean McLinden — Thursday 5 July 2007 @ 19:23
You can use Regedit. I show it in the movie of this post: http://didierstevens.wordpress.com/2006/09/18/a-windows-live-cd-plugin-for-my-userassist-utility/
And I also explain it in my (IN)SECURE Magazine Issue 10 article (page 72): http://www.net-security.org/dl/insecure/INSECURE-Mag-10.pdf
Comment by Didier Stevens — Thursday 5 July 2007 @ 19:37
@Chad
I’m preparing a new version, HTML export can be included, but I don’t know if I want to spend the time programming search. Actually, it’s not the Find function that is complex, but the Find Next function.
Comment by Didier Stevens — Thursday 5 July 2007 @ 19:46
I was hoping to avoid using something like UBCD4WIN just because I’ll have to make another restore from Encase. But if that is the only way, I guess I’ll do it that way.
Importing into a live Windows using Regedit overwrites the existing settings. Bad thing to do with an investigator laptop.
Thanks.
Comment by Sean McLinden — Thursday 5 July 2007 @ 20:16
You don’t need a live CD, read my article, you can work with a copy of
NTUSER.DAT and load the hive. This does not overwrite your settings.
Comment by Didier Stevens — Thursday 5 July 2007 @ 20:23
Thanks, that did it.
Comment by Sean McLinden — Thursday 5 July 2007 @ 20:49
Is there a commandline version that can be run and dump the output to a txt or cvs or html report?
Comment by Brian — Monday 16 July 2007 @ 16:40
[...] Engineering, My Software — Didier Stevens @ 6:05 I’m releasing version 2.3.0 of my UserAssist tool with these new [...]
Pingback by UserAssist V2.3.0 « Didier Stevens — Tuesday 17 July 2007 @ 6:05
[...] Stevens has released the latest iteration of his incredibly handy tool UserAssist. This tool, in a nutshell, displays a table of all of the programs executed on a windows machine. [...]
Pingback by Liquidmatrix Security Digest » Stevens Releases UserAssist V2.3 — Tuesday 17 July 2007 @ 12:14
@Brian
I’ll see if I can add command-line support.
Comment by Didier Stevens — Tuesday 17 July 2007 @ 13:15
[...] My Software — Didier Stevens @ 8:11 My interview on the CyberSpeak podcast about my UserAssist tool is up. I discovered I speak English with a French accent But I’m not French, I’m [...]
Pingback by CyberSpeak interview « Didier Stevens — Monday 23 July 2007 @ 8:12
Didier,
Great tool … thanks.
Is it possible to get an explanation of the keys that are referenced in the output. I think that the list of possible keys that occur are:
UEME_RUNPIDL:
UEME_RUNPATH:
UEME_CTLSESSION
UEME_CTLCUACount:
UEME_UISCUT:
UEME_UIQCUT:
UEME_UIHOTKEY:
UEME_RUNWMCMD:
UEME_RUNCPL:
UEME_UITOOLBAR:
I am attempting to use the data from a suspect’s imaged hard drive to show that the majority of his time on the computer was spent playing games and on the net. The data shows that there is many uses of Freecell and Hearts but there are even more occurrences of UEME_UIQCUT, UEME_RUNPATH, and UEME_RUNPIDL. What are these keys?
Comment by Mark Hallman — Friday 24 August 2007 @ 19:44
Be aware that the UserAssist entries only list how often a program has
been started by a user and when it what last started. So it’s not the
tool to assess how *long* programs were running.
UEME_UIQCUT
Applications launched from the quick launchbar are logged under the
entry UEME_UIQCUT. There is no separate entry with the name or path of
the launched application. I think the logic behind this is the
following: the UserAssist entries are maintained by Windows Explorer
to display the most frequently run applications on the start menu.
Applications launched from the quick launchbar have already their
“special” place on the GUI Windows, so there’s no need to keep stats
about their usage.
UEME_RUNPATH
This is logged each time a program is started, look at the path to see
which program. When a program is started by double-clicking it in
Windows Explorer or by typing its name in the Run command, RUNPATH
entries are created/updated but no UEME_RUNPATH entries are.
A PIDL is a Pointer to an ID List. Every item in Explorer’s namespace,
whether it’s a file, directory, Control Panel applet, or an object
exposed by an extension, can be uniquely specified by its PIDL. If the
UEME_RUNPIDL values starts with %csidl2%, then it refers to the start
menu. Notice that most UEME_RUNPIDL values are names of folders in the
start menu of shortcuts in the start menu (.lnk)
If you’re a programmer, an PIDL is Pointer to IDL, and IDL is short
for ITEMIDLIST (http://msdn2.microsoft.com/en-us/library/ms538107.aspx).
Remember that we’re talking about Windows Explorer here, aka the
shell, and a PIDL and ITEMIDLIST are shell structures used by
programmers.
You can find more information here:
http://sistersincrime.toronto.on.ca/internetspysoftware.php
Comment by Didier Stevens — Saturday 25 August 2007 @ 10:05
[...] a key named Settings and under this new key create a DWORD value named NoLog with value 1. My UserAssist tool has a menu toggle (Logging disabled) to do this [...]
Pingback by Disabling UserAssist Logging for Windows Vista « Didier Stevens — Saturday 8 September 2007 @ 20:14
[...] programmino, che richiede il .NET Framework è scaricabile qui con i sorgenti. E’ anche disponibile un plugin per BartPE [...]
Pingback by UserAssist: what is this? « Fare, disfare e rifare — Thursday 20 September 2007 @ 7:13
This functionality is available from within Access Data’s program for reading the registry.
Comment by Anonymous — Thursday 11 October 2007 @ 20:40
And it’s also free and open source?
Comment by Didier Stevens — Thursday 11 October 2007 @ 21:07
[...] Forensics, My Software — Didier Stevens @ 6:36 The most important feature of this new UserAssist version is the explain command. Now you can right-click an entry, select explain and get a nice explanation [...]
Pingback by UserAssist V2.4.1 « Didier Stevens — Tuesday 16 October 2007 @ 6:36
Great tool. Is there a way to connect to a remote registry?
Comment by John — Tuesday 30 October 2007 @ 13:07
I didn’t program that feature, but I’ll add it to my todo list.
However, you can connect to the registry of a remote machine with regedit. Export the UserAssist keys and load the exported file in my tool.
Harlan Carvey has scripts that work remotely, but I don’t believe his scripts for the UserAssist keys work remotely. They operate on the hive file. His tools are included with his book http://www.syngress.com/catalog/?pid=4230.
Comment by Didier Stevens — Wednesday 31 October 2007 @ 19:46
[...] UserAssist - Una herramienta relativamente poco conocida de Didier Stevens que nos saca una lista de los programas que se han ejecutado, cuándo, y cuántas veces. [...]
Pingback by alfredo reino » Archivo del Blog » Herramientas útiles — Friday 16 November 2007 @ 10:46
[...] under: Forensics, My Software, Update — Didier Stevens @ 9:29 Just a small change in this new version: now you can disable the automatic loading of the local registry data when the UserAssist tool is [...]
Pingback by Update: UserAssist V2.4.2 « Didier Stevens — Monday 26 November 2007 @ 9:29
[...] like the UserAssist entries for Windows Server 2008 have the same format as for Windows Vista, my UserAssist tool can also extract the data from Windows Server [...]
Pingback by Quickpost: Windows Server 2008 UserAssist Keys « Didier Stevens — Friday 11 January 2008 @ 18:37
[...] From now on, I’ll update it each time I release a new version of my UserAssist utility. [...]
Pingback by Update: A Windows Live CD plugin for my UserAssist utility « Didier Stevens — Monday 28 January 2008 @ 8:17
Hi Didier,
Can you please explain why I would receive a counter of zero? All my results for PIDL %csid16% came back with a counter of zero.
Great tool by the way!
Thanks in advance,
Jenny
Comment by Jenny — Thursday 7 February 2008 @ 21:15
A counter equal to 0 indicates that the user right-clicked on the item in the start-menu and selected the command to remove the item from the list.
Comment by Didier Stevens — Thursday 7 February 2008 @ 21:34
[...] many values include FILETIME objects embedded within their binary data. For example, beneath the UserAssist keys, many of the values found within the Count subkey have 16 bytes of binary data associated with [...]
Pingback by Log Analysis Professionals » Blog Archive » The Windows Registry as a Log File — Tuesday 8 April 2008 @ 11:33
Didier. Thanks for the great tools. On UserAssist, (I am not a computer pro - just a power user), the output is generally a history report…yes? Therfore, all entries accessible by a right click can be safely deleted (clear tracks)…yes? Then, recycle bin shredding and overwrite will remove final traces, correct? Thx!
Comment by Bruce Ades — Wednesday 14 May 2008 @ 11:18
The UserAssist keys contain historical data.
When you use my UserAssist tool to delete entries, it will actually delete registry keys. Deleted registry keys are not moved to the recycle bin, so there is no need to empty the recycle been.
However, I suspect that deleted registry entries are still present in the registry hive files (like NTUSER.DAT), until their space is reused. Registry compacting should take care of this.
Comment by Didier Stevens — Friday 16 May 2008 @ 16:28
Hi,
program looks great but does not run on Windows 2000. It starts without opening a window and keeps the cpu goin’ on 100%. When opening using a shortcut and setting the window maximized it opens but does not show data or menu text. Also 100% cpu until I terminate the program.
Dot.Net2 SP1 installed. Hope you can tweak the program to let it run on W2K.
In the registry the keys look the same as described everywhere on the ‘net.
Comment by Hans — Saturday 31 May 2008 @ 22:34
I’ve used it in the past on W2K, it works. I believe that you’ve so much entries in the UserAssist keys, that it takes a long time for my utility to analyze them all and display the result. Let the program run for some time and see what happens.
Comment by Didier Stevens — Sunday 1 June 2008 @ 9:15
Thanks very much for sharing your powerful and handy tool.
Question 1:
What causes the counter to have a negative value?
Question 2:
What causes the counter to have “Removed from list” instead of a number?
I’ve been using this tool for some time, but today I have encountered above
cases for the first time.
Comment by Nobuyuki Hirato — Monday 4 August 2008 @ 9:01
In fact, the counters are stored inside the binary registry data with an offset of 5. So if a program has been executed exactly once, the counter stored inside the binary registry data is equal to 6, and my UserAssist utility will subtract 5 and display 1. I believe that this +5 offset is a classic programming trick used by the MS programmers to be able to store special values in the same binary format.
One special value I’ve identified is 0: this indicates that the program is never to appear in the start menu in the most executed programs list. A user can decide to remove a program from the start menu list by right-clicking the entry and selecting “Remove from this list in de context menu. Internally, this action assigns a value of 0 to the counter. I’ve programmed UserAssist to display “Removed from list” in the counter column.
Negative values in the counter column are special values that I’ve not yet identified. I’ve had reports of installation programs creating userassist registry entries with values 1 or 2, but I don’t know what this implies.
Can you share which programs you’ve found with ‘negative counter values’?
Comment by Didier Stevens — Monday 4 August 2008 @ 17:11
Thanks for quick reply.
> Can you share which programs you’ve found with ‘negative
> counter values’?
Yes.
This time I’ve encountered two .url files under UEME_RUNPIDL:%csidl6%\, both indicated with values of -3.
> Internally, this action assigns a value of 0 to the
> counter. I’ve programmed UserAssist to display “Removed
> from list” in the counter column.
Does it mean all 0’s in the counter column should be
replaced with “Removed from list”?
I see a lot of entries with counter 0, apart from ones with “Removed from list”. Again, predominantly UEME_RUNPIDL:%csidl6%\??????.url ones.
Comment by Nobuyuki Hirato — Tuesday 5 August 2008 @ 3:56
No, a 0 counter in the Counter column of the UserAssist utility means again that this is a special value, but its meaning is unknown.
csidl6 is the special directory with the user’s favorites.
Is the last timestamp empty?
Comment by Didier Stevens — Tuesday 5 August 2008 @ 18:35
No, both of the two entries having -3 in Counter do have
Last timestamps.
As for the ones having 0 in Counter, Last timestamps are
all empty.
Comment by Nobuyuki Hirato — Wednesday 6 August 2008 @ 2:53
That’s normal. I did some testing with favorites, but couldn’t reproduce the -3 counter.
If you find more info, please let me know.
Comment by Didier Stevens — Thursday 7 August 2008 @ 16:18
OK. I’ll inform you when I find out something further.
Thank you.
Comment by Nobuyuki Hirato — Friday 8 August 2008 @ 11:13
Thank you for your tool - I am looking for an explanation for “session” Is this an incremental # for every logon/boot. Am I correct that this session number only identifies the last session an application was accessed and need to use restore points to obtain if the application was used on a specific day - Thank you! - Paul
Comment by Paul Smith — Thursday 23 October 2008 @ 12:42
I have no definite explanation for the session value.
I’ve not observed an increase of this value for every logon, but I’ve observed increments with 1 about every 24 hours, when the machine was on. Not exactly 24 hours, but a bit longer, and the variance looked random.
Comment by Didier Stevens — Thursday 23 October 2008 @ 17:55