Didier Stevens

Friday 4 August 2006

Update: UserAssist utility

Filed under: Reverse Engineering,Update — Didier Stevens @ 6:16

I’ve enhanced my UserAssist utility. After I published my utility, I had do to a small forensic investigation, but I couldn’t install my program on the machine. That’s why I added a feature to import from a REG file.

The treeview has been replaced with a table that also displays the session ID, counter and last timestamp of each entry.

userassistv2a.PNG

The commands are in a pull-down menu:

userassistv2b.PNG

New commands:

  • Load from REG file.
  • Logging Disabled

The about dialog contains a help section.

I posted my program (source code and binaries) here on the gotdotnet site. Download the ZIP file, you’ll have to extract UserAssist\UserAssist\bin\Release\UserAssist.exe to get my program. There is no setup, it’s just one executable. You’ll need the .NET Framework 2.0 runtime to run my program (download it only if you have a problem running my program, if you have an up-to-date version of Windows XP, the .NET 2.0 Framework will already be installed).

9 Comments »

  1. Cool tool! What’s the offset to the session ID, and do you know what that maps to? I wrote some scripts for ProDiscover that parse this info, and I’d like to add this to them…

    Thanks,

    Harlan

    Comment by keydet89 — Wednesday 9 August 2006 @ 1:11

  2. I don’t have yet a full understanding of the Session ID, but here’s what I discovered:

    – these obversations apply for the 2 count keys: {5E6AB780-7743-11CF-A12B-00AA004AE837} and {75048700-EF1F-11D0-9888-006097DEACF9}
    – each count key has its own session ID and appears to work independently from the other
    – each time an entry with 16 bytes of binary data is created or updated, the 4 first bytes are set equal to the 4 last bytes of the binary data of the UEME_CTLSESSION entry. Thats why I call those numbers session IDs.
    – example: you launch notepad, the session ID of UEME_CTLSESSION is 123, then the session ID for the notepad entry will be 123
    – the session ID in UEME_CTLSESSION appears to increase each day with 1 (each day you use your computer)
    – after you’ve delete all entries and restarted Windows Explorer, the UEME_CTLSESSION entries are created with session IDs equal to 0
    – the 4 first bytes of the binary data of the UEME_CTLSESSION entry is also a timestamp, but of anoher format which I’ve still to understand (it appears to count in units of 53.69 seconds).

    Hope this makes sense

    Comment by Didier Stevens — Wednesday 9 August 2006 @ 17:33

  3. I can’t seem to run the UserAssist program. I installed the .Net Framework, restarted the computer and moved UserAssist to the C: directory (though I’d prefer to have it ona different system. When I double click C:\UserAssist\bin\Release\UserAssist.exe, I see a pointer with an horglass and then nothing.

    Cheers,
    jon

    Comment by Jon Meads — Sunday 20 August 2006 @ 21:59

  4. I’ve been using UserAssistView (v1.00, NirSoft) for a few months now, and recently came across your app. Can it be used, with its full set of features, from removable media (CD/DVD, USB)?

    Comment by Ronin Vladiamhe — Tuesday 9 June 2009 @ 21:41

  5. Question answered, yes, though .NET Framwork 2.0 is required on the pc being UA’d. Will it leave any “traces” when run as a portable app?

    Comment by Ronin Vladiamhe — Tuesday 9 June 2009 @ 21:46

  6. Actually, looks like your app no longer exists.

    Comment by Ronin Vladiamhe — Tuesday 9 June 2009 @ 21:48

  7. Yes it will leave traces, the tool is not designed not to leave traces.

    Comment by Didier Stevens — Wednesday 10 June 2009 @ 8:35

  8. […] run per user. This is a terrific artifact for proving user activity and can be easily viewed using UserAssist.exe written by Didier Stevens. Evidence of manual execution can be found within this registry key when […]

    Pingback by De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 – Windows XP) | Forensic Methods — Wednesday 1 June 2011 @ 3:15

  9. […] run per user. This is a terrific artifact for proving user activity and can be easily viewed using UserAssist.exe written by Didier Stevens. Evidence of manual execution can be found within this registry key when […]

    Pingback by De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP) — Wednesday 1 June 2011 @ 3:17


RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Blog at WordPress.com.

%d bloggers like this: