by Chetan Gupta, NII Consulting
Windows XP has a built-in feature – UserAssist, that acts as a monitoring tool and greatly aids in the forensic investigation of Windows operating systems. UserAssist records user access of specific objects on the system, such as executables, Control Panel applets, shortcut files, etc. This is stored in the registry under the following key:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist
This key contains two subkeys which closely resemble GUIDs (Globally unique identifiers). Each subkey contains another subkey called ‘count’. The count subkey contains the entries that contain the access records for various objects. However, these entries are ‘encrypted’ using an encryption algorithm known as ‘ROT-13’. The full path to the two keys is:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist
{5E6AB780-7743-11CF-A12B-00AA004AE837}Count
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist
{75048700-EF1F-11D0-9888-006097DEACF9}Count
Encryption using ROT13
According to Wikipedia, ROT13 (“rotate by 13 places”, sometimes hyphenated ROT-13) is a simple Caesar cipher used for obscuring text by replacing each letter with the letter thirteen places down the alphabet. A becomes N, B becomes O, and so on up to M, which becomes Z, then the sequence reverses: N becomes A, O becomes B and so on to Z, which becomes M.
Decrypting Rot-13 encrypted entries
An online ROT13 decryption program is available at http://www.degraeve.com/rot13.php. You can also save the page and use the decryption feature offline.
How to decrypt the UserAssist entries?
- Open Regedit and then navigate to:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist - Right click on ‘count’ subkey and export the contents to a .reg file
- Open the .reg file with an editor such as notepad and copy the contents
- Paste the contents in decryption program as mentioned above and you are done!
If there is a key that indicates a ‘tracks eraser’ program such as evidence eliminator was run, it definitely puts the user under suspicion as to why he wanted to erase the trails of his activity on the machine. A typical decrypted output would look something like this:
"UEME_RUNPATH:C:\WINDOWS\system32\NOTEPAD.EXE"=urk:83,00,00,00,n2,02,00,00, 10,qo,77,02,rr,84,p6,01
"UEME_RUNPATH:C:\PROGRA~1\MOZILL~2\THUNDE~1.EXE"=urk:80,00,00,00,9p,00,00, 00,60,q8,sr,48,30,82,p6,01
"UEME_RUNPIDL"=urk:83,00,00,00,10,08,00,00,80,62,44,9p,pp,84,p6,01
"UEME_RUNPIDL:::{2559A1F5-21D7-11D4-BDAF-00C04F60B9F0}"=urk:80,00,00,00,9p,00, 00,00,r0,s2,04,49,30,82,p6,01
"UEME_RUNPATH:C:\WINDOWS\System32\cmd.exe"=urk:83,00,00,00,n2,00,00,00,50, n9,61,40,9n,84,p6,01
"UEME_UISCUT"=urk:83,00,00,00,p3,00,00,00,70,on,56,31,s1,84,p6,01
"UEME_RUNPATH:::{20D04FE0-3AEA-1069-A2D8-08002B30309D}"=urk:83,00,00,00,1s,01, 00,00,70,on,56,31,s1,84,p6,01
"UEME_UIQCUT"=urk:83,00,00,00,pp,07,00,00,70,r9,69,30,s1,84,p6,01
"UEME_RUNPATH:WinTasks.lnk"=urk:02,00,00,00,07,00,00,00,q0,o0,ns,30,r3,02,p6, 01
"UEME_RUNPIDL:%csidl2%\Evidence Eliminator"=urk:04,00,00,00,07,00,00,00,r0,os, sp,2p,n5,0s,p6,01
"UEME_RUNPATH:C:\WINDOWS\system32\shell32.dll"=urk:82,00,00,00,47,00,00,00, 00,p0,26,q9,p1,83,p6,01
"UEME_RUNPATH:C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE"=urk:83, 00,00,00,30,00,00,00,90,03,45,60,7n,84,p6,01
As we can see that there is an entry which suggests that the user did run evidence eliminator on his system, he definitely owes an explanation to the investigator!
Kush Wadhwa
Article was really good one. Good going!
Mahoney
Good find. Two questions:
1. What is UEME?
2. How do you read the numbers listed after it? They tell you when or how many time something is run?
I’m guessing this is used for determining what to put on the start menu section that shows the ‘most used’ programs. Why did MS obscure it? If it’s important it seems it would need stronger protection.
Peter Fellini
The HKEY was cut off in the document, what is the actual HKEY path.
Thnks
Chetan Gupta
Thanks Mr Felini for pointing it out. I have updated the article and added the full path of the two keys.
Mr Mahoney, you have raised excellent points! An update to this article is on the line which would talk about co-relating prefetch logs with userassist keys, getting the timestamp values out of the links and some more advanced features such as disabling encryption and logging automatically. It will also include some tools such as UserAssistSpy which specifically deal with this feature! I hope that artcile would answers all your queries!
Thanks for the valuable feedback!
Chetan
Pete Yevchak
I’ve looked at both those keys in the registry here and there is NO “count” sub-key on either. Am i doing something wrong? Pete
keydet89
Something interesting to add to this…many of the UserAssist entries have data associated with the values. Where the data is 16 bytes (ie, 4 DWORD values) long, and something other than zeros, the second DWORD value is the “run count” (MS allegedly starts incrementing at 5, though I haven’t seen any official MS documentation to that effect). The last two DWORDS are the “last run time”, a FILETIME object showing when the PIDL was last accessed.
I use Technology Pathways’ ProDiscover product for forensic analysis of Windows systems, and wrote a ProScript that will not only un-Rot-13 the info for me, but show the timestamp values, as well as list them in sorted order (for timeline analysis).
H. Carvey
http://windowsir.blogspot.com
keydet89
> 1. What is UEME?
No clue. However, for an explanation of pointers to ID lists, or PIDLs, check this out:
http://www.codeproject.com/shell/namespcextguide1.asp
> 2. How do you read the numbers listed after it? They tell you when or how
> many time something is run?
I haven’t seen any references regarding the content of the first DWORD. The second DWORD allegedly holds the run count, with the count starting at 5 (0x05). The last two DWORDs hold the FILETIME object for the time that the app was last run.
Hope that helps,
Harlan
http://windowsir.blogspot.com
Chetan
Hey pete,
The correct path to the keys is
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist{5E6AB780-7743-11CF-A12B-00AA004AE837}Count
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
ExplorerUserAssist{75048700-EF1F-11D0-9888-006097DEACF9}Count
hope it works now!
chetan
Checkmate » UserAssist Revisited! - e-zine on Digital Forensics and Incident Response
[…] In my previous article on Userassist, I had mentioned how UserAssist records user access of specific objects on the system and how it would greatly aid forensic investigations. Although, I had shown how to decrypt the keys, the important thing that was missing was how to interpret the 16 bytes of data associated with the entries. (Thanks to Harlan Carvey for providing his valuable inputs on this.) […]
Kush Wadhwa
Hello Guys,
I have finally found what UEME is?
All the link files and executable files will be preceded by UEME_RUNPATH. When a program is run, its path is encoded and recorded as the value name. Because this key is tracking the frequency and recency of programs and othe accesses, it stands to reason that we should find that information in the data portion of this value.
Same case is for other UEME. They also stand for particular application.
Dan
I do not see where anyone owes anyone an explanation for running a program. Some people just run programs to test them & see if they work.
Others experiment, collect programs, just try them out. There are people, of course, concerned with privacy. It isn’t illegal to want to cover your tracks, with the advent of big brother agencies & programs that want to watch everything you say & do.
Who really wants ALL the details of their life made public?
Sure, they may have had baddies on their comp, but they may also NOT have had anything & simply ran it as testing. I myself have had up to 400,000 softwares I collected, a lot of open source & freewares, some are trials.
I simply wanted to test for the best.
Nothing wrong with that, & I see nothing wrong with what he did.