With Windows 7 and Windows Server 2008 R2, the binary data format of the values stored in the UserAssist registry keys has changed.
Here’s a partial description of the new format:
- the counter is 32-bits long, starting at byte 4 (first byte is byte 0)
- the timestamp (64-bits) starts at byte 60
- there is a 32-bit value that appears to be the total time an application has focus, expressed in milli-seconds (starts at byte 8 )
For more details, read my article in the new forensic magazine Into The Boxes.
Don’t forget to use the special version of my UserAssist tool on Windows 7 and Windows Server 2008 R2.
It isn’t working under Windows 7 64 bit, because the hash values are longer thanon 32 bit!
Comment by Christof — Wednesday 29 December 2010 @ 10:50
@Christof What isn’t working? And to what hash values are you referring? If you’re talking about UserAssist for Windows 7, it works on my Windows 7 64 bit machine.
Comment by Didier Stevens — Wednesday 29 December 2010 @ 17:31
What is the formula for converting the 64-bit timestamps in bytes 60-67? I come up with 12-digit numbers after converting from hex to ascii, I’m trying to create a script to read these values. Great work btw, I love the tool!
Comment by Rich Rumble — Wednesday 13 April 2011 @ 1:15
@Rich The timestamp is a FILE_TIME datatype.
Comment by Didier Stevens — Wednesday 13 April 2011 @ 19:45
The “Focus time” (bytes 12-15) isn’t milliseconds for shorcuts (.Ink)
It’s counting the number of times the shortcut was executed.
Comment by Dobbelina — Wednesday 31 August 2011 @ 16:09
Handy resource: Known folder GUIDS: http://msdn.microsoft.com/en-us/library/bb882665.aspx
Comment by Anonymous — Friday 7 October 2011 @ 18:14