User Assist Registry Value Decoder
This EnScript is designed to decode data stored in the HKCU Registry UserAssist sub-key present in Windows XP and later operating systems.
This key monitors application usage so as to enable the system to populate each user's start menu with frequently used applications.
The UserAssist key will contain one or more sub-keys each with a name that is a GUID. Contained within each of those keys is a sub-key called Count; the entries themselves are contained therein.
The name of each UserAssist entry is ROT13 encoded. Beta versions of Windows 7 used the Vigenère cipher but the final release of the operating system reverted to ROT13. Vigenère is not supported by this script.
The entries that are of significance to the examiner are 16 bytes in length for operating systems prior to Windows 7 and 72 bytes in length for Windows 7 and later.
16-byte entries contain run-count and session-count variables, also a last-executed date/time stamp. The run-count variable is stored as 5 greater than the actual value so a stored value of 6 would represent an actual run-count of 1. A run-count of 0 is believed to be a special value used to prevent an application being shown in the start menu. The examiner may also encounter negative values but the significance of these is not currently known.
72-byte values were introduced with Windows 7. Not everything is known about these values but reverse engineering indicates the following -
The session-count is no longer stored and the run-count is stored as is (it is not incremented by 5); the last-executed date/time stamp is still present.
In addition to this, two additional variables are stored. These are a focus-counter and a focus-timer. The significance of the remaining bytes is unknown.
When an application is executed the run-counter is incremented by one. The system then tracks the time that the application has the focus. If the application is closed or looses focus then the focus-timer, which appears to be stored in milliseconds, will be incremented by the time tracked by the system.
Every time the application is out of focus but then receives the focus, the focus-counter is increased by one and the system starts tracking the focus time again. Note that the focus-counter is not incremented at the time the application is started, only when it has lost the focus and re-gains it.
Depending on whether anything in the case has been selected or not the script will process either all or selected files that have the name 'NTUSER.DAT' or else have a name starting with '_REGISTRY_USER_NTUSER' (System Restore files).
Because System Restore NTUSER.DAT Registry backups are stored outside of user folders, identifying each one is accomplished by having the script read file-system permission information and then using that data to interpret the SID that forms part of the backup name. This option can take some time so the examiner can opt to skip this step. Note that translation between SID and account name will only be possible if EnCase has that information: it may not, for instance, work for domain accounts.
The script produces its results in the form of note bookmarks and also a tab-separated-value (TSV) output file. The latter is suitable for opening in Microsoft Excel or another compatible spreadsheet application; the script can do this automatically if required.
Note that the output from the script will show both a run-count and an adjusted run-account. For post Windows-7 UserAssist entries these values will be the same.
The output from the script refers to two variables named Unknown 1 and Unknown 2.
For 72-byte entries these relate to the first four bytes and last four bytes respectively (shown as Little Endian integers in hex).
For entries that have a length other than 16 or 72 bytes then the script will list the entry-data in the note bookmark as separate hex values. If the data is 8 bytes or less then it will shown as the Unknown 1 value in the TSV file.
YOU MAY ALSO LIKE