Digital Forensics: Artifact Profile – UserAssist
APPLICATION NAME: UserAssist
CATEGORY: Operating System
RELATED ARTIFACTS: None
OPERATING SYSTEMS: Windows
NTUSER.DAT – SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\
Importance to Investigators
Windows contains a number of registry entries under UserAssist that allows investigators to see what programs were recently executed on a system. This can be extremely valuable in an investigation where an examiner wishes to see if a particular application was run, such as an encryption or wiping tool. Unlike prefetch files, UserAssist data will include information on whether an application was run from a shortcut (LNK file) or directly from the executable. This provides examiners with additional context around the execution of a program.
There are some slight differences when examining UserAssist data on Windows XP versus Vista+. On Windows XP, you will see a prefix starting with UEME_RUNCPL, RUNPATH, or something similar. The prefix will help indicate how the user executed the program or link. Some of the most common and valuable prefixes tend to be:
RUNPATH – Data about executed programs
RUNCPL – Data about executed control applets (.cpl)
RUNPIDL – Data about a file executed from a PDIL
In Windows Vista+, the UEME prefixes have been removed but examiners can still gain valuable data from the UserAssist key, which is in the same location.
UserAssist Recovery with Magnet Forensics
Magnet Forensics tools will parse the UserAssist registry data and decode the ROT13 encoded data, providing examiners with the file name and path, application run count, associated user, and the date/time when the program was last executed.
Depending on how the program was executed, Magnet Foreniscs tools may report either the path or a GUID/path combination for a given entry. The path entries are straightforward and help indicate where a program or link was executed from, but the GUID requires some interpretation. These GUIDs represent common paths on a system, such as a user’s APPDATA folder, system32, or other locations that are commonly mapped. Magnet Forensics tools do not map these GUIDs for the examiner. For a list of Known Folders and their associated GUID, please reference this Microsoft page: Known Folder GUIDs for File Dialog Custom Places