UserAssist

Overview

Evidence: UserAssist Description: Enumerate UserAssist Category: Registry Platform: Windows Short Name: userassist Is Parsed: Yes - Binary registry data parsed into structured format Sent to Investigation Hub: Yes Collect File(s): No

Background

UserAssist is a Windows registry artifact that tracks GUI-based program execution via Windows Explorer. When users launch programs from the desktop, Start menu, or Explorer, Windows records execution statistics in the UserAssist registry key.

The data is stored in ROT13-encoded value names and contains execution counts, last execution timestamps, and focus time. This provides user-specific evidence of program usage.

Data Collected

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for UserAssist keys: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*

• Reads version number to determine data structure (Version 3 or Version 5)

• Decodes ROT13-encoded value names

• Parses binary data structures to extract statistics

Version 3 (Windows 7): Contains execution count and last execution time Version 5 (Windows 8+): Adds focus count and focus duration

Usage

UserAssist provides user-specific program execution evidence for GUI applications. Investigators use this data to establish program usage patterns per user, prove user interaction with specific programs, track execution frequency and recency, identify programs launched from Explorer, detect suspicious user activity, and correlate program usage with other user artifacts.

Known Limitations

• Only tracks programs launched via Windows Explorer GUI

• Command line executions not recorded

• Can be cleared by user or anti-forensic tools

• ROT13 encoding easily decoded (not security measure)

• Data format varies between Windows versions

Notes

UserAssist complements other execution artifacts (Prefetch, Amcache, AppCompatCache) by providing user-specific usage statistics. The focus time can indicate how long users actively used an application.