Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

User Assist Registry Value Decoder

This EnScript is designed to decode data stored in the HKCU Registry UserAssist sub-key present in Windows XP and later operating systems.

This key monitors application usage so as to enable the system to populate each user's start menu with frequently used applications.

The UserAssist key will contain one or more sub-keys each with a name that is a GUID. Contained within each of those keys is a sub-key called Count; the entries themselves are contained therein.

The name of each UserAssist entry is ROT13 encoded. Beta versions of Windows 7 used the Vigenère cipher but the final release of the operating system reverted to ROT13. Vigenère is not supported by this script.

The entries that are of significance to the examiner are 16 bytes in length for operating systems prior to Windows 7 and 72 bytes in length for Windows 7 and later.

16-byte entries contain run-count and session-count variables, also a last-executed date/time stamp. The run-count variable is stored as 5 greater than the actual value so a stored value of 6 would represent an actual run-count of 1. A run-count of 0 is believed to be a special value used to prevent an application being shown in the start menu. The examiner may also encounter negative values but the significance of these is not currently known.

72-byte values were introduced with Windows 7. Not everything is known about these values but reverse engineering indicates the following -

The session-count is no longer stored and the run-count is stored as is (it is not incremented by 5); the last-executed date/time stamp is still present.

In addition to this, two additional variables are stored. These are a focus-counter and a focus-timer. The significance of the remaining bytes is unknown.

When an application is executed the run-counter is incremented by one. The system then tracks the time that the application has the focus. If the application is closed or looses focus then the focus-timer, which appears to be stored in milliseconds, will be incremented by the time tracked by the system.

Every time the application is out of focus but then receives the focus, the focus-counter is increased by one and the system starts tracking the focus time again. Note that the focus-counter is not incremented at the time the application is started, only when it has lost the focus and re-gains it.

Depending on whether anything in the case has been selected or not the script will process either all or selected files that have the name 'NTUSER.DAT' or else have a name starting with '_REGISTRY_USER_NTUSER' (System Restore files).

Because System Restore NTUSER.DAT Registry backups are stored outside of user folders, identifying each one is accomplished by having the script read file-system permission information and then using that data to interpret the SID that forms part of the backup name. This option can take some time so the examiner can opt to skip this step. Note that translation between SID and account name will only be possible if EnCase has that information: it may not, for instance, work for domain accounts.

The script produces its results in the form of note bookmarks and also a tab-separated-value (TSV) output file. The latter is suitable for opening in Microsoft Excel or another compatible spreadsheet application; the script can do this automatically if required.

Note that the output from the script will show both a run-count and an adjusted run-account. For post Windows-7 UserAssist entries these values will be the same.

The output from the script refers to two variables named Unknown 1 and Unknown 2.

For 72-byte entries these relate to the first four bytes and last four bytes respectively (shown as Little Endian integers in hex).

For entries that have a length other than 16 or 72 bytes then the script will list the entry-data in the note bookmark as separate hex values. If the data is 8 bytes or less then it will shown as the Unknown 1 value in the TSV file.

Download Now



Version: 4.2.1
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

553 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9079 Downloads
App
Artifact

Cortana Search Decoder

Decodes the search terms stored in IndexedDB.edb files used by the Microsoft Windows Cortana search function.
By Simon Key
2429 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
738 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
449 Downloads
App