The UserAssist registry key in Windows is a goldmine of forensic data, revealing which applications were executed, how often they were used, and when they were last run. While analyzing this key is challenging due to data encoding and irregularities, it remains one of the most valuable tools for tracking user activity on a system.
-------------------------------------------------------------------------------------------------------------
What Is UserAssist?
UserAssist records GUI-based application executions. It does not track
❌ Background processes
❌ Command-line executions
❌ Scheduled tasks
Forensic analysts use UserAssist to reconstruct user activity—identifying the most frequently used programs, last execution times, and which applications had user focus.
-------------------------------------------------------------------------------------------------------------
Where Is UserAssist Stored in the Registry?
UserAssist data is stored per user profile in:
NTUSER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Each UserAssist key contains multiple GUID-labeled subkeys, representing different methods of application execution.
-------------------------------------------------------------------------------------------------------------
What Data Does UserAssist Contain?
UserAssist logs several details about GUI-based application execution, including:
✅ Last Run Time – The last recorded execution of an application (stored in Windows FILETIME format).
✅ Run Count – The number of times the application has been opened.
✅ Application Name & Path – The full file path of the executed application.
✅ Focus Time – The total time (in milliseconds) the application was actively in use.
✅ Focus Count – The number of times the application became the active window.
💡 Key Insight: Since UserAssist tracks focus time, it can reveal not just what applications were run, but which ones were actually used.
-------------------------------------------------------------------------------------------------------------
Understanding the GUIDs in UserAssist
Each UserAssist entry is stored under a GUID (Globally Unique Identifier). The two most important GUIDs are:
CEBFF5CD-ACE2-4F4F-9178-9926F41749EA → Tracks applications executed directly via .exe files (e.g., double-clicking a program).
F4E57C4B-2036-45F0-A9AB-443BCFE33D9F → Tracks applications executed via shortcuts (e.g., Start Menu, taskbar, desktop shortcuts).
💡 Why This Matters: If an application appears under both GUIDs, it means the user executed it using multiple methods, which can help build a pattern-of-life analysis.
-------------------------------------------------------------------------------------------------------------
How UserAssist Helps in Digital Forensics
🔍 1. Tracking User Behavior & Application Usage
Shows which applications were used most frequently.
Identifies recently executed programs, even if they were deleted.
🔍 2. Detecting Suspicious Activity & Insider Threats
If sensitive files were accessed around a breach, UserAssist may reveal which programs were used.
If remote desktop tools (e.g., AnyDesk, TeamViewer) appear, it may indicate unauthorized access.
🔍 3. Malware & Threat Investigations
UserAssist helps track malicious programs that rely on GUI execution.
Can show when ransomware, phishing tools, or keyloggers were launched.
-------------------------------------------------------------------------------------------------------------
Limitations of UserAssist
⚠️ Not All Executions Are Tracked – Command-line tools and background processes do not appear in UserAssist.
⚠️ Data Loss from System Updates – Major Windows updates may reset UserAssist data.
⚠️ Potential False Positives – Simply clicking “Open File Location” in the Start Menu can create an entry, even if the application wasn’t actually run.
⚠️ Inconsistent Focus Time Data – Some applications do not record focus time, making exact usage tracking unreliable.
-------------------------------------------------------------------------------------------------------------
Best Practices for Investigating UserAssist
1️⃣ Use Forensic Tools – Decode ROT-13 data with Registry Explorer, RegRipper, or KAPE.
2️⃣ Cross-Reference Other Execution Artifacts – Prefetch, BAM/DAM, AmCache, and Event Logs can fill gaps left by UserAssist.
3️⃣ Analyze GUIDs Separately – Identify execution method patterns by looking at different GUIDs.
4️⃣ Watch for Unexpected Programs – Look for remote access tools, encryption software, or admin utilities that may indicate compromise.
5️⃣ Sort & Filter Data for Insights – Use Run Count, Last Run Time, and Focus Time to prioritize analysis.
------------------------------------------------------------------------------------------------------------
Final Thoughts: A Powerful Yet Tricky Forensic Artifact
UserAssist is one of the most detailed forensic artifacts for tracking GUI-based application execution, providing valuable insights into what programs were used, how often, and for how long.
While decoding and interpreting the data requires effort, UserAssist remains an essential artifact in investigations related to:
✅ User activity tracking
✅ Insider threats
✅ Malware analysis
✅ Digital forensic audits
🚀 Key Takeaway: Use UserAssist as an indicator of activity, but always verify findings with other execution artifacts for a complete forensic picture! 🔍
------------------------------------Dean---------------------------------------------------------
Komentarze