UserAssist

Definition: The UserAssist registry key is a Windows artifact that tracks the GUI-based applications a user has launched via Explorer, Start Menu, desktop shortcuts, “Run” dialog, etc.
It records per-user data, so each user’s NTUSER.DAT hive will have its own UserAssist entries.
The data stored is obfuscated: the value names are ROT13-encoded.

Path: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count
Important GUIDs:
- CEBFF5CD-ACE2-4F4F-9178-9926F41749EA: tracks .exe execution via GUI.
- F4E57C4B-2036-45F0-A9AB-443BCFE33D9F: tracks execution via shortcuts (.lnk).

UserAssist entries provide several pieces of metadata:

Data Field

Description

Application (decoded name)

The executable or shortcut name / path (decoded from ROT13)

Run Count

How many times the application was launched via GUI

Last Execution Timestamp

Stored as a Windows FILETIME; indicates the last time the app was run (or at least “used”)

Focus Time

How long the application window was in focus (milliseconds)

Focus Count

Number of times the application became the active (foreground) window

User Behavior & Application Usage: Helps reconstruct which GUI applications a user frequently used, and how often.
Timeline Reconstruction: The last run timestamp plus run count can be used to build a usage timeline.
Suspicious or Malicious Application Activity: If malware or remote-access tools were launched via GUI, UserAssist may capture them.
User Attribution: Since entries are stored per user, you can attribute application usage to a specific user account.

Only Tracks GUI Executions: Does not reliably track command-line applications, background services, or scheduled tasks.
ROT13 Encoding: Entry names are encoded, so you need to decode them to interpret properly.
Potential False Positives: Opening the file location of a shortcut (right click → “Open file location”) can create a UserAssist entry without the application actually running.
Manipulation Risk: An attacker or user might clear or tamper with these registry keys.
Limited GUIDs: Only certain GUIDs are tracked, so not all methods of launching apps will be recorded.

RegRipper: Has a userassist plugin to extract and decode UserAssist entries.
Volatility3: Use the windows.registry.userassist plugin to extract UserAssist from memory dumps.
Manual via Registry Explorer: Load NTUSER.DAT with a registry viewer, navigate to the UserAssist key, decode names manually.

Collection
- Extract the user’s NTUSER.DAT hive from disk or memory.
- If doing memory forensics, dump memory and run Volatility’s UserAssist plugin.
Parsing
- Run RegRipper (or another parser) to decode ROT13 and pull out run count, last run, focus data.
- Export parsed entries to CSV / JSON for analysis.
Analysis
- Identify the most frequently used applications via “run count.”
- Look at last execution times to correlate with incident timeline.
- Examine focus time / focus count: non-zero focus time is a good indicator the app was actually used, not just clicked.
- Watch for suspicious paths (e.g., apps run from user temp folders or non-standard locations).
Correlation
- Correlate UserAssist findings with other forensic artifacts: Prefetch, AmCache, Shimcache, Event Logs.
- Use GUID analysis: compare entries under the .exe GUID vs the .lnk GUID to understand how the user launched the app.
Reporting
- Document key entries: application path, run count, last run, focus time / count.
- Build a narrative of user activity: which apps were used, when, and how often.
- Highlight unusual or potentially malicious usage (e.g., unknown executables, high run count in short period).

Last updated 1 month ago