By Chetan Gupta, NII Consulting
In my previous article on Userassist, I had mentioned how UserAssist records user access of specific objects on the system and how it would greatly aid forensic investigations.
Although, I had shown how to decrypt the keys, the important thing that was missing was how to interpret the 16 bytes of data associated with the entries. (Thanks to Harlan Carvey for providing his valuable inputs on this.)
Here is a cool piece of code I found here that allows to decrypt the entries.
Note: Use Autohotkey to run this script . Autohotkey is available here
————————————–
;;Author: Kostic Dejan
;;Date: 07.04.2006
Gui, Add, ListView, vLst w700 h500 altsubmit, Path|Name|Data
Loop,HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
{5E6AB780-7743-11CF-A12B-00AA004AE837}count
{
RegRead, rval
LV_Add(“”,”{5E6AB780-7743-11CF-A12B-00AA004AE837}”,a_loopregname,rval)
}
Loop,HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist
{75048700-EF1F-11D0-9888-006097DEACF9}count
{
RegRead, rsv
LV_Add(“”,”{75048700-EF1F-11D0-9888-006097DEACF9}”,a_loopregname,rsv)
}
Gui,add,button,gdec,&Decrypt
Gui, Show
LV_ModifyCol(1,”100″)
LV_ModifyCol(2,”485″)
LV_ModifyCol(3,”100″)
return
dec:
SetBatchLines,-1
LV_Delete()
SplashImage,,b1 c1,,Decrypting`nPlease wait...
Loop,HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{5E6AB780-
7743-11CF-A12B-00AA004AE837}count
{
RegRead, rval
d2:=StringMod(a_loopregname,26-13)
LV_Add(“”,”{5E6AB780-7743-11CF-A12B-00AA004AE837}”,d2,rval)
}
Loop,HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-
EF1F-11D0-9888-006097DEACF9}count
{
RegRead, rsv
d3:=StringMod(a_loopregname,26-13)
LV_Add(“”,”{75048700-EF1F-11D0-9888-006097DEACF9}”,d3,rsv)
}
SplashImage,off
return
StringMod(_string, _chars=””) ;made by PhiLho, adapted by me
{
Loop Parse, _string
{
char := Asc(A_LoopField)
o := Asc(“A”) * (Asc(“A”) <= char && char <= Asc(“Z”)) + Asc(“a”) * (Asc(“a”) <=
char && char <= Asc(“z”)) If (o > 0)
{
char := Mod(char – o + _chars, 26)
char := Chr(char + o)
}
Else
{
char := A_LoopField
}
rStr := rStr char
}
Return rStr
}
GuiClose:
ExitApp
————————————–
Now something on anti-forensics (I hate to mention this). Most users would like to delete these entries in order to erase their tracks.
Here is how you can do it:
-
- Another cool piece of code from autohotkey forums (Credits: Serenity)
—————————————
; Microsoft Internet Toolbar
regdelete, HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{5E6AB780-7743-11CF- A12B-00AA004AE837}count
; ActiveDesktop
regdelete, HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssist{75048700-EF1F-11D0- 9888-006097DEACF9}count
; Disable logging and encryption
regwrite, REG_DWORD, HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistSettings, NoLog, 1
regwrite, REG_DWORD, HKCU,
SoftwareMicrosoftWindowsCurrentVersionExplorerUserAssistSettings, NoEncrypt,1
————————————
-
- Using User Assist Spy
A tool that looks in your registry and lists some information about all the programs and documents you have ever accessed with your current installation of Windows. It also allows you to delete the information and disable future logging.
It is available here.
- Manual Way
- Delete the count key entries and,
- Add settings to disable encryption or logging
- Add a new subkey called “Settings” under “UserAssist” key
- Add a new DWORD value called “NoLog” to disable the UserAssist entries being further added or a DWORD value called “NoEncrypt” to disable the ROT-13 encryption of any UA entries that may be added in the registry. Both these DWORD values must be set to 1 for them to work properly
I hope the mist around the UserAssist feature is somewhat more clearer now!
Do write in your comments on this.
