I recently found myself needing to examine a workstation in an attempt to determine what had taken place on it before it started to act up. I was curious what programs were run or what objects were accessed. All kinds of data is spread across the registry, but a good place to look when you want to forensically gather what was happening within the context of a user session is to look in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. Within UserAssist, you will find a few {GUID} keys that each have a corresponding Count key:
Read the rest of this entry »
Archive for February 6th, 2012
A Quick Glance At The UserAssist Key in Windows
Posted by William Diaz on February 6, 2012
Posted in Inside Windows | 2 Comments »
Windows Explored 