UserAssist
Overview
Section titled “Overview”Evidence: UserAssist
Description: Enumerate UserAssist
Category: System
Platform: windows
Short Name: userassist
Is Parsed: Yes
Sent to Investigation Hub: Yes
Collect File(s): No
Background
Section titled “Background”UserAssist is a Windows registry artifact that tracks GUI-based program execution via Windows Explorer. When users launch programs from the desktop, Start menu, or Explorer, Windows records execution statistics in the UserAssist registry key.
The data is stored in ROT13-encoded value names and contains execution counts, last execution timestamps, and focus time. This provides user-specific evidence of program usage.
Data Collected
Section titled “Data Collected”This collector gathers structured data about userassist.
UserAssist Data
Section titled “UserAssist Data”| Field | Description | Example |
|---|---|---|
Username | User account name | user |
Path | Program path (ROT13 decoded) | C:\Program Files\Google\Chrome\Application\chrome.exe |
RunCount | Number of times executed | 42 |
LastRunTime | Last execution timestamp | 2023-10-15T14:30:00 |
FocusCount | Number of times focused (Version 5 only) | 35 |
FocusTime | Total focus time in milliseconds (Version 5 only) | 3600000 |
KeyPath | Registry key path | Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist{GUID}\Count |
LastWriteTime | Registry key last write time | 2023-10-15T14:30:00 |
RegPath | Path to registry hive | Registry/ntuser.dat |
Collection Method
Section titled “Collection Method”This collector:
- Collects user registry hives (ntuser.dat)
- Searches for UserAssist keys:
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\* - Reads version number to determine data structure (Version 3 or Version 5)
- Decodes ROT13-encoded value names
- Parses binary data structures to extract statistics
Version 3 (Windows 7): Contains execution count and last execution time Version 5 (Windows 8+): Adds focus count and focus duration
Forensic Value
Section titled “Forensic Value”UserAssist provides user-specific program execution evidence for GUI applications. Investigators use this data to establish program usage patterns per user, prove user interaction with specific programs, track execution frequency and recency, identify programs launched from Explorer, detect suspicious user activity, and correlate program usage with other user artifacts.