UserAssist

UserAssist records metadata of GUI-based application executions (in other words, via the Explorer shell). It does not track non-GUI based applications, such as command line applications or most services.

Analysis

UserAssist is tied to individual user profiles and can be located inside an individual user's NTUSER.DAT hive:

NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{GUID}\Count

The following is information is generally available for each UserAssist entry:

Executable Name
Executable File Path
Last Run Time
Run Count
Focus Count
Focus Time

Each UserAssist key contains multiple subkeys The {GUID} represents the type of program execution. There are other GUIDs that exist on a modern Windows system and it is worth to enumerate each to check for values. In practice, only two of the GUIDs are commonly used. For Windows 7 and newer, they are:

{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} — shortcut file execution (e.g., LNK)
{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} — executable file execution (e.g., EXE)

The values under each Count key contain a ROT-13 encoded that provide the path of the executed applications. In some cases, the value may contain a KNOWNFOLDERID GUID value that must be mapped to reveal the full path.

The data for each value is of type REG_BINARY and contain the associated metadata values including the session identifier, last run time, run count, focus time, and focus count. Timestamps are of type FILETIME and duration time is represented in milliseconds.

The LastWriteTime of the UserAssist key is not forensically significant. In my testing, it does not always correlate with the most recent Last Run Time.

Example

Attribute	Details
Registry Key	`NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\Count`
Value Name	`{S38OS404-1Q43-42S2-9305-67QR0O28SP23}\ertrqvg.rkr`
Value Data	`3A 00 00 00 02 00 00 00 01 00 00 00 F2 E4 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 07 00 00 00 D0 7F 57 0A F6 1C DA 01 00 00 00 00`
Data Type	`REG_BINARY`

Interpreting registry key path

The GUID {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} indicates this program was directly launched by an executable, rather than a shortcut.

Decoding the value name

The value name can be ROT-13 decoded to {F38BF404-1D43-42F2-9305-67DE0B28FC23}\regedit.exe. The .exe extension confirms the program was launched by an executable.

The GUID F38BF404-1D43-42F2-9305-67DE0B28FC23} maps to the Windows (normally C:\Windows) folder.

Decoding value data

Offset	Size	Description	Example Value	Interpreted Value
0-3	4	Session Identifier	`3A 00 00 00`	58
4-7	4	Run Count	`02 00 00 00`	2
8-11	4	Focus Count	`01 00 00 00`	1
12-15	4	Focus Time (ms)	`F2 E4 00 00`	58610 ms (58)
60-67	8	Last Executed (`FILETIME`)	`D0 7F 57 0A F6 1C DA 01`	2023-11-22 03:43:22 UTC

On my Windows 11 22H2 test machine, it appears that Focus Time and Focus Count are not maintained for applications executed by a shortcut file ({F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}).

However, Focus Time and Focus Count are inconsistently maintained by applications directly executed by an executable ({CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}).

Investigation Considerations

The metadata values in UserAssist are not always reliable. The artifact is one of the more complicated registry artifacts. Its behavior can vary among versions of Windows or even among particular applications.

It may not be possible to leverage UserAssist artifacts alone as definitive evidence of execution. As with any forensic analysis, it may be necessary to rely on other execution artifacts to corroborate investigation findings.