# UserAssist Keys

## **UserAssist**

### **Overview:**

* **Purpose**: Tracks user activity related to launching applications and files through the Windows Explorer interface.
* **Registry Location**:
  * `HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist`
* **Structure**:
  * Entries are stored as ROT13-encoded values (a simple substitution cipher) and represent applications, shortcuts, or files accessed by the user.

### **Benefits for DFIR:**

* **Tracking User Activity**: Allows investigators to determine which applications or files were executed by a user.
* **Timeline Reconstruction**: Provides timestamps of the last execution and a count of executions for specific items.

### **How It Works:**

* Each entry includes:
  * **Name**: Encoded path or name of the application.
  * **Run Count**: Number of times the item was executed.
  * **Last Execution Time**: Timestamp in UTC.

### **Tools:**

* **Registry Explorer**: Decodes ROT13 values and presents data in an easy-to-read format.
* **Autoruns**: Verifies legitimacy of executed applications.
* **UserAssistView**: Dedicated tool for decoding and analyzing UserAssist data.

for example:&#x20;

<figure><img src="/files/yP5GLdIhkp30KIwoopd7" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://mahmoud-shaker.gitbook.io/dfir-notes/userassist-keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.