UserAssist Keys

The UserAssist key contains information about the executable files and links that you open frequently.

UserAssist

Overview:

• Purpose: Tracks user activity related to launching applications and files through the Windows Explorer interface.

• Registry Location:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

• Structure:

  • Entries are stored as ROT13-encoded values (a simple substitution cipher) and represent applications, shortcuts, or files accessed by the user.

Benefits for DFIR:

• Tracking User Activity: Allows investigators to determine which applications or files were executed by a user.

• Timeline Reconstruction: Provides timestamps of the last execution and a count of executions for specific items.

How It Works:

• Each entry includes:

  • Name: Encoded path or name of the application.

  • Run Count: Number of times the item was executed.

  • Last Execution Time: Timestamp in UTC.

Tools:

• Registry Explorer: Decodes ROT13 values and presents data in an easy-to-read format.

• Autoruns: Verifies legitimacy of executed applications.

• UserAssistView: Dedicated tool for decoding and analyzing UserAssist data.

for example: