UserAssist

Overview

Evidence: UserAssist Description: Enumerate UserAssist Category: System Platform: windows Short Name: userassist Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): No

Background

UserAssist is a Windows registry artifact that tracks GUI-based program execution via Windows Explorer. When users launch programs from the desktop, Start menu, or Explorer, Windows records execution statistics in the UserAssist registry key.

The data is stored in ROT13-encoded value names and contains execution counts, last execution timestamps, and focus time. This provides user-specific evidence of program usage.

Data Collected

This collector gathers structured data about userassist.

UserAssist Data

Collection Method

This collector:

• Collects user registry hives (ntuser.dat)

• Searches for UserAssist keys: Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\*

• Reads version number to determine data structure (Version 3 or Version 5)

• Decodes ROT13-encoded value names

• Parses binary data structures to extract statistics

Version 3 (Windows 7): Contains execution count and last execution time Version 5 (Windows 8+): Adds focus count and focus duration

Forensic Value

UserAssist provides user-specific program execution evidence for GUI applications. Investigators use this data to establish program usage patterns per user, prove user interaction with specific programs, track execution frequency and recency, identify programs launched from Explorer, detect suspicious user activity, and correlate program usage with other user artifacts.