Main Point to Remember:
1. Isolation of Different Web Application
2. Individual worker process for different web application
3. More reliably web application
4. Better Performance

It may happen that while managing or testing multiple web applications we create many application pool(s) in the IIS. Thus, there is always the possibility that we may forget the password of an account that we have used for the some application pool. In order to retrieve the credentials we can use the utility called APPCMD.

Let’s Start

1. Let us assume that we have forgotten the password of the account that is used by a “Demo User” application pool.

Application Pool

2. Open the command prompt by browsing Start menu -> Accessories -> Command Prompt. Right click on Command prompt and select “Run as Administrator” option from the context menu.

Tip: You can also select CMD and press CTRL + Shift + Enter to Start Command Prompt as Administrator or with Machine Administrator rights

3. Browse the following path on command prompt “%systemroot%\system32\inetsrv” and run APPCMD list apppool “Demo User” /text:*

(The directory will most likely be C:\Windows\System32\inetsrv)

Replace “Demo User” with the App Pool name of which you want to retrieve the password.

Command

4. Under the [processModel] section you will get the username and password which is in Clear Text .

Output showing credentials

Remediation & POC

The remediation for this is very simple; use service accounts like Network Service, Network, etc. So, even if someone has access to the system and tries same steps as above to retrieve the user account password, he wont be able to do that.

1. Application pool “Dos” with Network Service account

Application Pool for Network Service

2. Running the same command as we ran in earlier in this post i.e. APPCMD list apppool “Dos” /text:*

Command

3. Checking the output

Output for Network Service

Note

The above technique which we have tested against IIS 6.0 will also work with IIS 7.0 and IIS 7.5, as these versions also provide support for the utility for legacy reasons.

I guess this highlights why least-privilege is so important when assigning privileges to application services on servers. In a scenario where the server is compromised, the  Final word for IIS administrators, always use a least-privilege user account for SharePoint or any other web application installation or deployment, simply means that Application Pool account should not have more permissions than needed.

–

Dhiraj

Many a times as an investigator, I have to deal with the issue of carving data from
unallocated spaces in a partition. There are many commercial data carving tools such as Encase, Winhex, Accessdata FTK, DataLifter, ILookInvestigator. Well, I have tried most of these and must say most of them have their share of pros and cons. Encase has the widest range of file types supported and also gives the ability to add more file types (you need to know the header and footer for sure). But if the file system is heavily fragmented, then data carving becomes less effective.
There are three main issues with data carving:

1. Most of the tools would be able to find the header but the footer may not be found in the same or the consecutive cluster. Then, the file would be carved with the minimum file size specified by the investigator. Thus, the carved files may contain some gibberish at the end or may be incomplete and therefore unviewable.

2. The names of the carved files cannot be ascertained as the Master File Table or Superblock (in Linux) are not used during data carving process.
3. As data carving is based on guess work, results may include many false hits and thus data carving may not be as reliable as required. Footer analysis and discarding overlapping file signatures may help reduce this problem.

Depending upon the situation, the investigator can choose his tool for carving. However, he must understand the capabilities of the tool and the file signatures supported by it. in my experience, Encase V5 has the most extensive signature database for carving among all tools. Foremost, Scalpel and Winhex allow you to add custom signatures to the tool which is extremely useful. Sadly, FTKv1.50 doesn’t support adding additional signatures. Not sure, if they have added this capability in the coming versions.

Running foremost is pretty easy under Linux:

# foremost -T -t all -o Output_directory -i input_file
-T — Put unique timestamp in the output directory name
-t — File types to be carved. The file types supported can be tweaked by using the -c option and specifying the configuration file

The syntax of Scalpel is almost similar to that of foremost with minor changes. However, it makes two passes over the unallocated data – the first pass in which it tries to identify the files and the second pass in which it actually carves out the file. My experience with scalpel hasn’t been great as with large files it would stop midway in the second phase throwing up some error.

Two interesting tools of note are filesig and headergrab which are both available here.
From the horse’s mouth:
Filesig Manager is a file signature and keyword management tool, acting as an examiners central repository of File Indentification information.
The information within can be readily exported to the majority of mainstream forensic examination tools. Some of the features to date include:

* Export to Datalifter (Standard and Adv Signatures).
* Export to DiskCat.
* Export to File Extractor Pro.
* Export to Encase version 3 and 4.
* Export to iLook.
* Export to ProDiscover.
* Export to Simple Carver.
* Export to WinHex Forensic.

Header Grab:
Header Grab is a research tool, which allows the user to quickly extract the first eight bytes and last four bytes from every file within the specified folder.
This is interesting as by generating few starting and ending bytes from multiple files of same type, we can identify the actual header and footer for the file type and is very useful in creating your own signature database!

They are available for free download at http://www.filesig.co.uk

For efficient data carving, the tools need to have built-in intelligence to identify the boundaries of a file. If the file is fragmented then it needs to have a mechanism to find the remaining fragment either by a hit and trial method (checking all the remaining clusters for the fragments of the file which may be highly time consuming) or by making intelligent guesses ( Eg checking the next 10 clusters for the remaining fragments of the file first and looking for the specific type of data associated with the file type for eg different segment headers of the file as in a Word Document) and then testing the resultant file.

A significant step towards solving these issues was taken by Digital Forensic Research Workshop (DFRWS) when they organized a data carving challenge available here. The challenge threw up some interesting results and some new tools by various researchers.

Happy data carving!

Well, last week was abuzz with activity when we had to recover data from a corrupt Linux hard disk. Thought it would be pretty easy but as soon as I loaded the hard disk, I knew something was amiss. I was in for a shock as the disk had severe damage in the beginning sectors. Still, encase was able to load the disk but could not show the file structure! Atleast it was showing the three partitions!
What do we do?
Well, the first step was to image the hard disk so that If I do mess up the hard disk, I can restore it to what was there originally. So, loaded FTK imager and used it to image it the hard disk into split raw files (since raw files are easier to use with Sleuthkit and other open source tools..)
I had in my mind that encase will allow me to load raw files and anlayze so I thought I was on safe grounds! Well, the raw files filled up most of my forensic disk since they amounted to about 120 Gb of space! Neways, the idea was to run disk repairing tools on the conked hard disk and side-by-side run data recovery tools on the image. Well, not all plans execute to perfection…. this one sure didn’t! As soon as I loaded the split raw image into Encase, it crashed! Sure, it has problems with large split files. Then, I said to myself, “No problem, There’s sleuth kit for me”. What was not expected was that sleuthkit did not recognise the file system on the three partitions.

A simple strings on the first split image showed up interesting results – most of the files were quite intact although their beginning and end hardly recognizable from the big junk of words…and I saw the last fsck log which clearly stated that both primary and secondary superblocks were corrupt! WoW!

Anyways I tried rebuilding the superblock and inode table but to no avail. However, after the repair operation, I could run fsstat on the third partition but again it showed up 99% of the inodes to be free! I tried using fsck and using one of the secondary superblocks but it did not help. I guess the secondary superblock structures had got corrupted too!
Then I said to myself,” May be data carving is the best option in this situaton”. I concatenated the split files, and created a huge raw file so as to feed my open source data carving monsters (read foremost and scalpel)! Foremost did carve out some data but largely false hits and scalpel never got going. It would stop midway during the all-important second pass! Next step was to use all available file carving tools (from winhex to encase to FTK) and collating valid files obtained from them. It was tedious but nevertheless, I could recover a lot of files (read gif, bmp, jpeg html, and mail files).

Data carving could be quite frustrating if the filesystem is hugely fragmented. I would discuss data carving in some more detail in my forthcoming article.

Hope you enjoyed reading this one though!

Have you ever thought of hiding data in such a manner that it cannot be deleted even after the hard disk is formatted? Well, in this this article , we’ll look at just that; we will see how you can hide and unhide crucial data on your hard disk. The technique which is used to hide the data is known as HPA which stands for Host Protected Area. Let us first discuss HPA…

HPA – The Hidden Protected Area (also known as the Host Protected Area and as the Predesktop Area) is a special area (usually a few gigabytes in size) located at the end of a hard disk.

Since we have to calculate the hard disk space which is to be put in HPA, heres a little about hard disks sectors.

Sectors - A sector is the smallest unit that can be accessed on a hard disk. Each platter, or circular disk of a hard disk is divided into tracks, which run around the disk. These tracks get longer as they move from the middle towards the outside of the disk, so there are more sectors along the tracks near the outside of the disk than the ones towards the center of disk.

1 Sector=512 bytes

Let us first see how many sectors are there in my hard disk which can be easily done using hdparm command.

From the above figure we can see that the total number of sectors present in the hard disk is 78165359 sectors. Converting given number of sectors in Gigabytes, we get 37.27214766 GB. To hide the data make separate partition (Note: This partition should be the last partition). HPA cannot be made in the beginning or in the middle of hard disk. Using sfdisk -luS note the starting sector of the last partition. Let the starting sector of last partion be 64776751.Now I just want 64776751 sectors to be accessible and rest of the sectors should be in HPA mode. For putting the sectors in HPA mode I will use a small C code with a name setmax.c which can be downloaded from the link below.

http://www.win.tue.nl/~aeb/linux/setmax.c

To compile this program I will use gcc

[root@hack3rs root]#gcc -o setmax setmax.c

To compile it in statically,
[root@hack3rs root]#gcc -static -o setmax setmax.c

Since 64776751 sectors have to be made accessible we will do as follows:
[root@hack3rs root]#./setmax –delta 64776751 /dev/hdc (depending on your device name).

–delta option will make temporary HPA. If you want to make permanent HPA then use –max option with setmax.
Congratulations! you have hidden your last 8388608 sectors which is equivalent to 4GB. You can make sure if your hard disk is in HPA mode or not by using disk_stat which comes with sleuthkit. Sleuthkit can be downloaded from its official site http://www.sleuthkit.org. The general syntax of disk_stat is disk_stat . Here device name can be /dev/{hda,hdb,hdc,sda,sdb,sdc}. Be sure not to write the partition name.
Unhiding your host protected area(Specially written for digital forensics team)

When digital forensics team is inspecting the machine, they should make sure if the hard disk is in HPA mode or not. If the hard disk is in HPA mode, then its quite possible that data is stored in that area and that data could help them solve the case. So let us first detect the hard disk is in HPA or not. As said earlier this can be easily done using disk_stat. This will show you Maximum Disk Sector and Maximum User Sector.

Maximum Disk Sector: This gives the total number of sectors present in hard disk.

Maximum User Sector: This gives the total number of sectors which user can access.

As per example above I got the followin result

Maximum Disk Sector: 78165359
Maximum User Sector: 64776751

** HPA Detected (Sectors 64776751 – 78165359) **

This means that sectors from 64776751 to 78165359 are in HPA mode. Now again use setmax to unhide HPA.

[root@hack3rs root]#./setmax –delta 78165359 /dev/hdc

This will make all your hard disk accessible. I hope you all enjoyed reading the article.

Happy Experimenting!

Mrs Carol L. Stimmel has taken upon her to start a Computer Forensic Volunteer Project to provide low-cost services to those who cannot assert advantage from our skills.

Here is a bit taken from the press release:-

“As expert members of the international computer forensics community which provides unique and highly desirable services to the legal system, we assume a responsibility to provide services to those in need yet unable to pay. As a result, the Computer Forensics Volunteer Project (CFVP) provides pro bono and low-cost forensic services to individuals and organizations who normally would not be able to take advantage of the distinct litigation advantage provided by these techniques.”

On behalf of NII Consulting I have volunteered to take part in the project and would like to help people who cannot afford such services.

The index.dat is a file which contains the list of the websites that one has visited. It comes from “indexing” which is used to speed up query responses.

The autocomplete feature in Internet Explorer compares the addresses to the index.dat to find an appropriate match. The size and life of the index.dat depends on the user and the options under: – Internet Explorer: Tools> Internet Options (Days to keep pages in history).

There are three kinds of index.dat files.

1. Daily
2. Weekly
3. Master

1. Daily index.dat:-

This file contains the data of one visiting websites for the day.

This index.dat file can be found in C:\Documents and Settings\*profile*\Local Settings\History\History.IE5\*folder*

The folders name information is given below:-

MSHist012006081020060811

MSHist01 is common for all folders.

Next comes “from” date – 20060810 i.e. 2006/08/10 (yyyy/mm/dd)

Lastly comes the “to” date – 20060811 i.e. 2006/08/11 (yyyy/mm/dd)

2. Weekly index.dat:-

This file contains the history of the user for the week.

This index.dat file can be found in C:\Documents and Settings\*profile*\Local Settings\History\History.IE5\*folder*

The folders name information is given below:-

MSHist012006073120060807

MSHist01 is common for all folders.

Next comes “from” date – 20060731 i.e. 2006/07/31 (yyyy/mm/dd)

Lastly comes the “to” date – 20060807 i.e. 2006/08/07 (yyyy/mm/dd)

3. Master index.dat

This file is located in C:\Documents and Settings\*profile*\Local Settings\History\History.IE5 i.e. the root of History.IE5

Index.dat Viewing Utilities:-

There are a few utilities on the WWW to analyze index.dat. They help in organizing the data from it in an easy to view and customable manner. Here is a list of a few such tools:-

• Netanalysis
• IndexDat-Zap
• Index.dat Analyzer

Deleting index.dat:-

This file is “locked” by the operating system, which means that one cannot delete it with the normal “Del” command.

Note: Once it is very big in size it can start affecting the browser performance.

There are a few tools online available to delete this file but the easiest way I found to delete this file is to replace it with another file. I.e. Make a new text file, name it as index.dat and save it. Now, for every index.dat there is replace it with the file that you made i.e. the empty index.dat.

Alternatively, you could use tools like Unlocker. This is a very nice free tool to view which applications are sharing the file and also to kill or unlock those applications so as to delete or modify it.

In accordance with NII’s mantra of innovation and research, we have developed our own tool to conduct initial response on compromised Linux systems. This tool is appropriately titled LINReS which stand for “Linux INcident Response Script”.
LINReS is a Live Response script designed to run on suspect/compromised Linux systems. LINReS consists of mostly statically compiled binaries and includes the various shared libraries that may be required to run the binaries (a few which are not statically compiled). All in all, no binary from the compromised system is used by this tool which mitigates the risk of collecting information on a trojaned system.

This script follows a simple client-server modeling where the suspect system acts as the server and forensics workstation of the investigator (running MS-Windows) acts as a client and receives all the incident response data from the suspect system.

LINReS calls three different scripts which collect volatile and non-volatile data from the suspect system that caters to the requirements of the ‘Initial Response’ phase in the Incident Response Methodology. The data collected by the scripts is sent to a forensics workstation through three different Netcat connections. The Netcat connections are automatically created by the script. On the client side, three listeners have to be setup by the investigator manually or it could be automated by a simple Windows batch script provided in the toolkit.

More information about the tool is available at:
http://www.niiconsulting.com/innovation/linres.html

Download LINReS:
LINReS is available for download at the following links:
http://prdownloads.sourceforge.net/linres/LINReS.tar.gz?download

http://prdownloads.sourceforge.net/linres/LINReS_RHEL3_v1.1.tar.gz?download

We have tested this tool successfully on RHEL3 and RHEL4 and would soon be releasing variants for the other flavours of Linux.

We sincerely hope that this tool would be useful to forensic investigators and anybody who has been assigned the task of conducting investigations on a Linux system. We would appreciate any feedback on LINReS and look forward to adding onto and improving its functionality.

Happy testing!

This article discusses a “…particular feature of this file system which was designed to offer compatibility with Macintosh Hierarchical File System (HFS) and store additional data called metadata for a file. This feature is known as Alternate Data Streams (ADS). The Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork tells the operating system how to interpret the data fork. Alternate Data Streams is the Microsoft way of implementing resource fork. The ADS is a hidden stream in addition to the regular data stream which contains the main data for the file. This hidden stream contains metadata for the file such as the file access/modification times, attributes etc. ”
Click here to read more.

Windows passwords are stored in the registry (encrypted) in the form of a hash. LMHash was the first hash function used by Microsoft to secure their passwords. Eventually when the security issues popped up (as LMHash is quite insecure) they had to come up with NLTM and the most recent one being NTLM Version 2.

A hash function – is a way of creating a small digital “fingerprint” from any kind of data. The function chops and mixes the data to create the fingerprint, often called a hash value.

The LMHash – LM hash or LAN Manager hash is one of the formats that Microsoft LAN Manager and Microsoft Windows use to store Windows user passwords that are less than 15 characters long.

NTLM - Microsoft introduced the NTLM protocol which simply adds case sensitivity and removes the password-division. Dictionary attacks on this protocol are still very good for weak passwords, but Microsoft claims that 100 2GHz machines would still take 5.5 years to obtain the password by brute force. This protocol doesn’t offer any signing or encryption of the exchange of messages between the client and the server. Thus, the protocol is susceptible to message injection by an attacker, allowing “chosen plaintext” attacks.

NTLM Version 2 – This protocol expands the key space to 128-bits, increasing the difficulty of exhaustive brute force attacks (according to Microsoft). The protocol also enables the establishment of a secure channel (signing and/or encryption) between the client and the server prior to the challenge/response. The secure channel is established using a key set created specifically for that purpose (ie, not the password-derived key) and effectively eliminates chosen-plaintext attacks. Encryption can also effectively obscure the messages, preventing the offline cracking attempts that work so well against LM and NTLM authentication.

Windows Password cracking is not as easy as it sounds. Generally the traditional password crackers will try a dictionary attack or try to brute force the password.

Dictionary Attacks-

The dictionary attack is actually self explanatory. What it means that it tries every word in the dictionary. This makes the actual attack almost instantaneous but for a big dictionary you need a lot of storage. The success rate of a dictionary attack is minimal if the password contains special characters and it is also dependent on the number of words in the dictionary.

Brute Force Attacks-

A brute force attack is one where you try and defeat the password by trying a large number of possibilities. I.e. working thorough all possible keys in order to get the password. Such an attack has a better success rate but would take excruciatingly long time to get a password and at times is not feasible.

Theoretical Limits: -

“There is a physical argument that a 128 bit key is secure against brute force attack. It is argued that, by the laws of physics, in order to simply flip through the possible values for a 128-bit key (ignoring doing the actual computing to check it), one would need a device consuming at a minimum 10 gigawatts (about the equivalent of eight large, dedicated nuclear reactors) running continuously for 100 years. The full actual computation—checking each key to see if you have found a solution—would consume many times this amount.

However, this argument assumes that the register values are changed using conventional set and clear operations which inevitably generate entropy. It has been shown that computational hardware can be designed not to encounter this theoretical obstruction”

Now, as these methods are not always feasible and extremely time consuming Philippe Oechslin came up with a method based on time-memory trade-off using Rainbow Tables.

“In 1980 Martin Hellman described a cryptanalytic time-memory trade-off which reduces the time of cryptanalysis by using pre-calculated data stored in memory. This technique was improved by Rivest before 1982 with the introduction of distinguished points which drastically reduces the number of memory lookups during cryptanalysis. This improved technique has been studied extensively but no new optimizations have been published ever since.” (3)
This is a cryptanalytic attack which is based on exhaustive search need and a lot of computing power or a lot of time to complete. When the same attack has to be carried out multiple times, it may be possible to execute the exhaustive search in advance and store all results in memory. Once this pre-computation is done, the attack can be carried out almost instantly. We can also call it a pre-calculated attack

Rainbow Tables-

When you brute force a password you try different possibilities on one machine, you start to wonder if it is really necessary to try all possible passwords again and again on each new machine. This is the basis on which the rainbow tables were created. What seems more feasible is to save the brute force results and use the saves results to accelerate the cracking process to crack other passwords.

It is possible to crack windows passwords with the help of rainbow tables in a matter of seconds. Now, you would be wondering how the rainbow tables would crack a password in a matter of seconds where brute forcing the same password took a few days or a month even. And now you wonder how these tables can crack the password so quickly and with a better success rate.

This article might help you understand how the rainbow tables are built.

In order for the trade-off to work, the passwords and the hashes have to be organized in chains. To get this you need to define a reduction function that converts password hashes into passwords. Starting at the password you can generate a hash from the password with the hash function and then generate a new password from this hash with the reduction function. You can do this over and over again until you get about 10000 hashes and passwords. This chain can only be created in the forward direction.

(http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/)

Now, you can drop the whole chain except for the first and the last password that you store in the table. When you need to crack a hash, you calculate a chain starting from this hash. For every password that appears in the chain, you check if it is not the end of a chain that you stored in the table. When you find a matching end of a chain in the table, you know that the hash is probably part of this chain. Actually, the element just before the hash in that chain is the password you are looking for. You cannot go backwards, but you can look up the beginning of the chain in the table (this is why you stored it together with the end) and you just generate the whole chain from scratch until you get to the password.

“An interesting fact of rainbow tables is that the cracking time can be reduced by the square of the available memory, e.g., if you double the size of the tables, you can crack four times as fast. As an illustration, the online password cracker at (lasecwww.epfl.ch/~oechslin/projects/ophcrack) cracks alphanumerical windows passwords in about 2 seconds with a table set of 1.1G bytes. It takes about 16 seconds with a table set of 388M bytes available from the same web page. “3

Limitations-

This method for password cracking can only be used where the hashes are calculated in advance. In operating systems apart from the Windows operating system password hash is calculated by adding a random amount of salt (that is, the hash function takes an additional parameter as input). This salt is stored together with the hash {where Hash = password + salt}, such that a password can later be verified to match the hash.

Since we don’t know the value of salt being used with the hash in advance, we cannot create a table in advance.

MS-Windows and a few firewalls and routers and databases use salt-less hashing making the attack possible.

Tools-

• Ophcrack – This tool uses rainbow tables to crack passwords.(Based on Rainbow tables and not Rainbowcrack)
  (This is a bootable Linux CD + Windows(setup) with 3 options – Local SAM, Remote SAM or Encrypted SAM)

Another implementation of the rainbow tables called rainbowcrack is used in tools like-

• Rainbowcrack Project – http://www.antsight.com/zsl/rainbowcrack/

• Cain – http://www.oxid.it/cain.html &

• @Stakes LC5 – http://www.webproxy.com/products/lc/

These tools use a less efficient way of storing chains in tables and ends up with tables that are more than twice as big, making it more that four times slower for the same amount of memory. (Not considering the memory and RAM)

If you would like a demo for this method it can be found here.

There are a few free tables can be found at:-

• http://wired.s6n.com/files/jathias/

• http://www.antsight.com/zsl/rainbowcrack/

• http://rainbowtables.shmoo.com/

References:-

1. Making a Faster Cryptanalytic Time-Memory Trade-Off, Philippe Oechslin
2. http://www.microsoft.com
3. http://en.wikipedia.org/wiki/Brute-force_attack
4. http://www.objectif-securite.ch/
5. http://lasecwww.epfl.ch/~oechslin/projects/ophcrack/index.php
6. http://www.rainbowcrack.com/

In my previous article on Userassist, I had mentioned how UserAssist records user access of specific objects on the system and how it would greatly aid forensic investigations.
Although, I had shown how to decrypt the keys, the important thing that was missing was how to interpret the 16 bytes of data associated with the entries. (Thanks to Harlan Carvey for providing his valuable inputs on this.)

Here is a cool piece of code I found here that allows to decrypt the entries.
Note: Use Autohotkey to run this script . Autohotkey is available here

————————————–
;;Author: Kostic Dejan
;;Date: 07.04.2006

Gui, Add, ListView, vLst w700 h500 altsubmit, Path|Name|Data
Loop,HKCU,

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\
{5E6AB780-7743-11CF-A12B-00AA004AE837}\count
{
RegRead, rval
LV_Add(“”,”{5E6AB780-7743-11CF-A12B-00AA004AE837}”,a_loopregname,rval)
}
Loop,HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\
{75048700-EF1F-11D0-9888-006097DEACF9}\count
{
RegRead, rsv
LV_Add(“”,”{75048700-EF1F-11D0-9888-006097DEACF9}”,a_loopregname,rsv)
}
Gui,add,button,gdec,&Decrypt
Gui, Show
LV_ModifyCol(1,”100″)
LV_ModifyCol(2,”485″)
LV_ModifyCol(3,”100″)
return
dec:
SetBatchLines,-1
LV_Delete()
SplashImage,,b1 c1,,Decrypting`nPlease wait...
Loop,HKCU,

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-
7743-11CF-A12B-00AA004AE837}\count
{
RegRead, rval
d2:=StringMod(a_loopregname,26-13)
LV_Add(“”,”{5E6AB780-7743-11CF-A12B-00AA004AE837}”,d2,rval)
}
Loop,HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-
EF1F-11D0-9888-006097DEACF9}\count
{
RegRead, rsv
d3:=StringMod(a_loopregname,26-13)
LV_Add(“”,”{75048700-EF1F-11D0-9888-006097DEACF9}”,d3,rsv)
}
SplashImage,off
return

StringMod(_string, _chars=”") ;made by PhiLho, adapted by me
{
Loop Parse, _string
{
char := Asc(A_LoopField)
o := Asc(“A”) * (Asc(“A”) <= char && char <= Asc("Z")) + Asc("a") * (Asc("a") <=

char && char <= Asc("z"))
If (o > 0)
{
char := Mod(char – o + _chars, 26)
char := Chr(char + o)
}
Else
{
char := A_LoopField
}
rStr := rStr char
}
Return rStr
}

GuiClose:
ExitApp
————————————–

Now something on anti-forensics (I hate to mention this). Most users would like to delete these entries in order to erase their tracks.
Here is how you can do it:

1. Another cool piece of code from autohotkey forums (Credits: Serenity)

—————————————
; Microsoft Internet Toolbar
regdelete, HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{5E6AB780-7743-11CF- A12B-00AA004AE837}\count
; ActiveDesktop
regdelete, HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{75048700-EF1F-11D0- 9888-006097DEACF9}\count

; Disable logging and encryption
regwrite, REG_DWORD, HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings, NoLog, 1
regwrite, REG_DWORD, HKCU,
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\Settings, NoEncrypt,1
————————————

2. Using User Assist Spy

A tool that looks in your registry and lists some information about all the programs and documents you have ever accessed with your current installation of Windows. It also allows you to delete the information and disable future logging.
It is available here.

3. Manual Way

• Delete the count key entries and,
• Add settings to disable encryption or logging
• Add a new subkey called “Settings” under “UserAssist” key
• Add a new DWORD value called “NoLog” to disable the UserAssist entries being further added or a DWORD value called “NoEncrypt” to disable the ROT-13 encryption of any UA entries that may be added in the registry. Both these DWORD values must be set to 1 for them to work properly

I hope the mist around the UserAssist feature is somewhat more clearer now!
Do write in your comments on this.