top of page
Feb 191 min read

Artifacts for Program execution Part 2: Jump Lists || RunMRU Start || UserAssist

Updated: Mar 24

1.Jump Lists


Get deep details about this artifact from my previous blog.


Blog 1: Unveiling the Significance of Jump list Files in Digital Forensics

Blog 2 : Jump list Analysis: Tool-->JLECmd.exe


-----------------------------------------------------------------------------------------------------------


2. RunMRU Start->Run


RunMRU is a registry key that records the commands executed through the Start -> Run feature in Windows. This key is located within the NTUSER.DAT hive at the following path:


NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\


Through cmd query


reg query HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU


and Manual extraction of registry through cmd and take home to analyze


Reg Save HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU C:\Users\User\Downloads\output1.hiv



By analyzing the RunMRU key, forensic investigators can gain insights into the actions performed by users on the system, including the commands they executed via the Run dialog.

-------------------------------------------------------------------------------------------------------------


3.UserAssist

UserAssist is a crucial component of Windows systems, particularly for tracking GUI-based programs launched from the desktop. Located within the NTUSER.DAT hive, specifically under


NTUSER.DAT\Software\Microsoft\Windows\Currentversion\Explorer\UserAssist{GUID}\




One notable aspect of UserAssist is that all values are encoded using ROT-13 encryption, adding a layer of security to the data. This encryption ensures that sensitive information about program execution remains protected.

Understanding UserAssist involves deciphering the GUIDs associated with different functionalities.


---GUID for XP

• 75048700 Active Desktop

---GUID for Win7-10

• CEBFF5CD Executable File Execution

• F4E57C4B Shortcut File Execution

---Program Locations for Win7-10 UserAssist

• ProgramFilesX64 6D809377-...

• ProgramFilesX86 7C5A40EF-...

• System 1AC14E77-...

• SystemX86 D65231BO-...

• Desktop B4BFCC3A-...

• Documents FDD39ADO-...

• Downloads 374DE290-...

• UserProfiles 0762D272-...


-------------------------------------------------------------------------------------------------------


40 views0 comments

Comments

bottom of page