UserAssist
1. Introduction
UserAssist artifacts are Windows components that record programs and items executed by the user in the graphical interface (GUI). Windows stores this information inside ROT13-encoded registry keys.
UserAssist reveals:
Which programs were opened
How many times they were executed (count)
The last time the execution occurred (timestamp)
Full paths of executables
Items executed via Explorer, Start Menu, Control Panel, etc.
Storage Location
Inside NTUSER.DAT:
NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\CountEach GUID represents a different monitoring category (varies by Windows version).
Entry names are stored in ROT13 and must be decoded.
2. Tools
RegRipper (userassist plugin)
Command-line tool that extracts:
Program name (decoded)
Path
Execution count
Last execution timestamp
Useful for fast automation and reporting.
Registry Explorer (Eric Zimmerman)
GUI tool for advanced registry analysis:
Automatically decodes ROT13
Displays complete metadata
Allows navigating the NTUSER.DAT tree
Shows timestamps with FILETIME precision
3. Practical Example: How to Analyze UserAssist
Obtain the NTUSER.DAT hive
Extract it from the user’s profile:
Method 1: UserAssist using RegRipper
Command:
Typical Output:
Executable name (decoded)
Full program path
LastExecutionTime
Execution Count
Interpretation:
Persistence or malicious activity may appear as repeated execution of specific tools.
Suspicious tools will show recent execution timestamps.
Example:
Method 2: UserAssist using Registry Explorer
Open Registry Explorer
File > Load hive > select NTUSER.DAT
Navigate to:
Click on the GUID, then open Count
You will see:
A decoded list of programs, shortcuts, or items
Fields such as:
Path
Count
Last Execution Time
Item type (exe, lnk, control panel item, shell item, etc.)
Practical Example:
If you see:
This indicates heavy use of cmd.exe, which may suggest:
Advanced manual activity
Repeated command execution
Script or batch file usage
Last updated