UserAssist Revisited!

By Chetan Gupta, NII Consulting

In my previous article on Userassist, I had mentioned how UserAssist records user access of specific objects on the system and how it would greatly aid forensic investigations.
Although, I had shown how to decrypt the keys, the important thing that was missing was how to interpret the 16 bytes of data associated with the entries. (Thanks to Harlan Carvey for providing his valuable inputs on this.)

Here is a cool piece of code I found here that allows to decrypt the entries.
Note: Use Autohotkey to run this script . Autohotkey is available here

————————————–
;;Author: Kostic Dejan
;;Date: 07.04.2006

Gui, Add, ListView, vLst w700 h500 altsubmit, Path|Name|Data
Loop,HKCU,

SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
{5E6AB780-7743-11CF-A12B-00AA004AE837}count
{
RegRead, rval
LV_Add(“”,”{5E6AB780-7743-11CF-A12B-00AA004AE837}”,a_loopregname,rval)
}
Loop,HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
{75048700-EF1F-11D0-9888-006097DEACF9}count
{
RegRead, rsv
LV_Add(“”,”{75048700-EF1F-11D0-9888-006097DEACF9}”,a_loopregname,rsv)
}
Gui,add,button,gdec,&Decrypt
Gui, Show
LV_ModifyCol(1,”100″)
LV_ModifyCol(2,”485″)
LV_ModifyCol(3,”100″)
return
dec:
SetBatchLines,-1
LV_Delete()
SplashImage,,b1 c1,,Decrypting`nPlease wait...
Loop,HKCU,

SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{5E6AB780-
7743-11CF-A12B-00AA004AE837}count
{
RegRead, rval
d2:=StringMod(a_loopregname,26-13)
LV_Add(“”,”{5E6AB780-7743-11CF-A12B-00AA004AE837}”,d2,rval)
}
Loop,HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-
EF1F-11D0-9888-006097DEACF9}count
{
RegRead, rsv
d3:=StringMod(a_loopregname,26-13)
LV_Add(“”,”{75048700-EF1F-11D0-9888-006097DEACF9}”,d3,rsv)
}
SplashImage,off
return

StringMod(_string, _chars=””) ;made by PhiLho, adapted by me
{
Loop Parse, _string
{
char := Asc(A_LoopField)
o := Asc(“A”) * (Asc(“A”) <= char && char <= Asc("Z")) + Asc("a") * (Asc("a") <= char && char <= Asc("z")) If (o > 0)
{
char := Mod(char – o + _chars, 26)
char := Chr(char + o)
}
Else
{
char := A_LoopField
}
rStr := rStr char
}
Return rStr
}

GuiClose:
ExitApp
————————————–

Now something on anti-forensics (I hate to mention this). Most users would like to delete these entries in order to erase their tracks.
Here is how you can do it:

  1. Another cool piece of code from autohotkey forums (Credits: Serenity)
  2. —————————————
    ; Microsoft Internet Toolbar
    regdelete, HKCU,
    SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{5E6AB780-7743-11CF- A12B-00AA004AE837}count
    ; ActiveDesktop
    regdelete, HKCU,
    SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0- 9888-006097DEACF9}count

    ; Disable logging and encryption
    regwrite, REG_DWORD, HKCU,
    SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistSettings, NoLog, 1
    regwrite, REG_DWORD, HKCU,
    SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistSettings, NoEncrypt,1
    ————————————

  3. Using User Assist Spy
  4. A tool that looks in your registry and lists some information about all the programs and documents you have ever accessed with your current installation of Windows. It also allows you to delete the information and disable future logging.
    It is available here.

  5. Manual Way
  • Delete the count key entries and,
  • Add settings to disable encryption or logging
    • Add a new subkey called “Settings” under “UserAssist” key
    • Add a new DWORD value called “NoLog” to disable the UserAssist entries being further added or a DWORD value called “NoEncrypt” to disable the ROT-13 encryption of any UA entries that may be added in the registry. Both these DWORD values must be set to 1 for them to work properly

I hope the mist around the UserAssist feature is somewhat more clearer now!
Do write in your comments on this.

  •  
  •  
  •  
  •  
  •  
  •  
  •  

6 Comments

  1. Hey Shaun,
    Thanks for pointing that out! I accept my mistake (part lazyness and part ignorance! πŸ™‚ )
    Actually the 16 bits of data is the date and time when the object was accessed… Very Important for leads to investigation… Now the important question is : how to convert this to humanly interpretable data?
    The answer is:
    1. You can use the decode program available at http://www.digital-detective.co.uk/freetools/decode.asp
    2. You can also use Mitec WRR (Windows Registry Recovery) or WRA (Analyzer) which are both freely available for the same purpose.
    Hope that helps!
    Chetan

  2. Hi Chetan

    What a fascinating insight into this mystery.

    I see that there are 16 pieces of data. I’ve used Decode and the final 8 pieces do, indeed, say when I last had access – but what about the first 8 pieces? On my system, they’re predominantly zeros, rather than a wide spread of all hex characters from 0 to F.

    Do you have any idea what the first 8 refer to and how they can be interpreted?

    Iain

  3. Hey Iain,

    Thats a very good question. Let me make this point very clear.

    The first 4 byte refer to DWORD (4 byte or 32 bits). This DWORD is a 32 bit integer that is a counter for the number of times that the program link files or other object has been opened. The very first time a program or link file is recorded it is assigned a counter value of 06h, which is decimal six. From that point forward, it will increment one for each time that particular program, link file or object is opened. The reason for the number starting at 6 is unknown. For your satisfaction you can say “GATES” in bill gates have 5 alphabets. Therefore he gave the increment of 5. LOL!!!. Anyways it hardly matters. I think it is clear to you now.:)

  4. Thank you, and sorry about the delay in my responding. I check here on most days and the first time that I saw your response was today, 4 July 2007.

    Since posting my question, I’ve been investigating myself and have realised that the count starts at 05h (the “zero” reference point) and that accounts for only part of this data. I suspect that the meaning of the remainder of the data will be uncovered in due course.

Comments are closed.