UserAssist

TL;DR
Determine Program Execution / Interactions

• UserAssist is a method used to populate a user's start menu with frequently used applications.
• Tracks when a GUI application is launched (launched directly from the executable or from a Windows shortcut aka LNK file)
• Everything executed from a command shell will NOT be tracked by UserAssist
• Stored in the Windows Registry (in each users NTUSER.DAT registry file), all values are ROT-13 encoded
• Artifact Location: NTUSER.DAT\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
• Parent: Explorer.exe
• Focus Count (Number of executions)
• Focus Time (Total seconds focused)
• Last Execution Date/Time
• The UserAssist key does not seem to be present on NT4, therefore this functionality was likely introduced in Windows 2000.

Note: The Focus Count and Focus Time are still unreliable.

Fig 1: Analyzing UserAssist Artifacts w/ RECmd (EZTools by Eric Zimmerman)

Fig 2: UserAssist (Stats)

Fig 3: UserAssist (Plugin)

Last updated: 2021-06-19