UserAssist

Overview

Evidence: UserAssist Description: Enumerate UserAssist Category: System Platform: windows Short Name: userassist Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

UserAssist is a Windows registry artifact that tracks GUI-based program execution via Windows Explorer. When users launch programs from the desktop, Start menu, or Explorer, Windows records execution statistics in the UserAssist registry key.

The data is stored in ROT13-encoded value names and contains execution counts, last execution timestamps, and focus time. This provides user-specific evidence of program usage.

Data Collected

This collector gathers structured data about userassist.

UserAssist Data

Field
Description
Example

Username

User account name

user

Path

Program path (ROT13 decoded)

C:\Program Files\Google\Chrome\Application\chrome.exe

RunCount

Number of times executed

42

LastRunTime

Last execution timestamp

2023-10-15T14:30:00

FocusCount

Number of times focused (Version 5 only)

35

FocusTime

Total focus time in milliseconds (Version 5 only)

3600000

KeyPath

Registry key path

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{GUID}\Count

LastWriteTime

Registry key last write time

2023-10-15T14:30:00

RegPath

Path to registry hive

Registry/ntuser.dat

Collection Method

This collector:

  • Collects user registry hives (ntuser.dat)

  • Searches for UserAssist keys: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*

  • Reads version number to determine data structure (Version 3 or Version 5)

  • Decodes ROT13-encoded value names

  • Parses binary data structures to extract statistics

Version 3 (Windows 7): Contains execution count and last execution time Version 5 (Windows 8+): Adds focus count and focus duration

Forensic Value

UserAssist provides user-specific program execution evidence for GUI applications. Investigators use this data to establish program usage patterns per user, prove user interaction with specific programs, track execution frequency and recency, identify programs launched from Explorer, detect suspicious user activity, and correlate program usage with other user artifacts.

Last updated

Was this helpful?