Windows Explored

I recently found myself needing to examine a workstation in an attempt to determine what had taken place on it before it started to act up. I was curious what programs were run or what objects were accessed. All kinds of data is spread across the registry, but a good place to look when you want to forensically gather what was happening within the context of a user session is to look in HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist. Within UserAssist, you will find a few {GUID} keys that each have a corresponding Count key:

These GUID are common across the same platform. In XP:

• {0D6D4F41-2994-4BA0-8FEF-620E43CD2812} – A key that seems to be specific to IE7
• {5E6AB780-7743-11CF-A12B-00AA004AE837} – IE Favorites and other IE toolbar objects
• {75048700-EF1F-11D0-9888-006097DEACF9} – A list of applications, files, links, and other objects that have been accessed.

In Vista and Windows 7:

• {CEBFF5CD-ACE2-4F4F-9178-9926F41749EA} – A list of applications, files, links, and other objects that have been accessed.
• {F4E57C4B-2036-45F0-A9AB-443BCFE33D9F} – Lists the shortcut links used to start progams

Now, before you head off to examine all the goodies in here, there is one minor caveat: the data in these keys is obfuscated by default:

This is not a major hurdle, though, as the encryption method here is rather simple ROT13. What that means is that each alphabetic character is offset 13 places forward:

Now, before you get excited and wonder why Microsoft is so lax when it comes to encryption, you should know that the idea here is not to really prevent this data from being deciphered. I’m entirely sure why, but it seems Microsoft may not have wanted this portion of the registry accessible to searches or modified by the “average” user.

To simply the task of decrypting this data, there are several online tools available for which you paste the string(s) of data and have it converted. Alternatively, a very useful utility that can be run locally is UserAssist, which besides looking in HKCU can also read exported reg files and ntuser.dat. This would be more useful since you can order the values chronologically. NirSoft also has a good tool for viewing these keys. For example, here is the recent output captured on a Windows XP lab pc I regularly work on, sorted by most recent date:

You can see the last action where I clicked on Start, indicated by UEME_RUNPATH and the GUID {90110409-6000-8CFE-0150048383C9}, and from here then launched Word, and before that where I ran UserAssist.exe from the desktop, RegScanner, regedit, Excel, etc…

Some other things worth noting:

• The encryption mechanism can be turned off or logging disabled altogether. In Windows XP, to disable ROT13 encryption in the UserAssist key, create a new DWORD in this key and name it NoEncrypt and assign a value of 1. To disable logging in the UserAssist key, create a new DWORD in this key and name it NoLog and assign a value of 1.
• Alternatively, to disable logging in Vista/WIndows 7, right-click the Taskbar > go to Properties > Start Menu and under Privacy uncheck both options.
• In Vista and Windows 7, it seems like less data is gathered in the UserAssist key. Whereas XP contains many more UEME types, Vista and Windows 7 contain only a handful.
• Since the UserAssist key resides in ntuser.dat, you can load an offline copy. Alternatively, the live remote key key can be accessed from HKU.
• Impress your friends by telling them you can read ROT26 encryption on the fly, unassisted.