Tuesday, October 27, 2015

Registry Explorer\UserAssist Key

If you've ever looked through a memory dump and noticed the following registry key getting modified, here's my take on what it's doing.

Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\

It appears each time a program is executed on a Windows operating system, it keeps track of them, including the date/time and # of times ran in this key. For example, I opened the following registry key

HKEY_USERS\C__Users_USERNAME_ntuser.dat\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count\RANDOMLETTERS

And was able to read the following values

mstsc.exe , Microsoft.Windows.RemoteDesktop

Which would seem to me to indicate that Remote Desktop was launched.

In another example I saw this text

TaskBar\Google Chrome.lnk

Which would seem to indicate Chrome was launch from the windows menu bar at the bottom of the screen.

Didier Stevens has a nice utility called UserAssist that allows you to view these values.

Copyright © 2015, this post cannot be reproduced or retransmitted in any form without reference to the original post.

No comments:

Post a Comment