Didier Stevens

Monday 4 January 2010

New Format for UserAssist Registry Keys

Filed under: Forensics,My Software,Windows 7 — Didier Stevens @ 15:29

With Windows 7 and Windows Server 2008 R2, the binary data format of the values stored in the UserAssist registry keys has changed.

Here’s a partial description of the new format:

  • the counter is 32-bits long, starting at byte 4 (first byte is byte 0)
  • the timestamp (64-bits) starts at byte 60
  • there is a 32-bit value that appears to be the total time an application has focus, expressed in milli-seconds (starts at byte 8 )

For more details, read my article in the new forensic magazine Into The Boxes.

Don’t forget to use the special version of my UserAssist tool on Windows 7 and Windows Server 2008 R2.


  1. It isn’t working under Windows 7 64 bit, because the hash values are longer thanon 32 bit!

    Comment by Christof — Wednesday 29 December 2010 @ 10:50

  2. @Christof What isn’t working? And to what hash values are you referring? If you’re talking about UserAssist for Windows 7, it works on my Windows 7 64 bit machine.

    Comment by Didier Stevens — Wednesday 29 December 2010 @ 17:31

  3. What is the formula for converting the 64-bit timestamps in bytes 60-67? I come up with 12-digit numbers after converting from hex to ascii, I’m trying to create a script to read these values. Great work btw, I love the tool!

    Comment by Rich Rumble — Wednesday 13 April 2011 @ 1:15

  4. @Rich The timestamp is a FILE_TIME datatype.

    Comment by Didier Stevens — Wednesday 13 April 2011 @ 19:45

  5. The “Focus time” (bytes 12-15) isn’t milliseconds for shorcuts (.Ink)
    It’s counting the number of times the shortcut was executed.

    Comment by Dobbelina — Wednesday 31 August 2011 @ 16:09

  6. Handy resource: Known folder GUIDS: http://msdn.microsoft.com/en-us/library/bb882665.aspx

    Comment by Anonymous — Friday 7 October 2011 @ 18:14

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.