Artifacts

UserAssist

Posted by:

Author Name
Matt

Description
UserAssist is a method used to populate a user’s start menu with
frequently used applications. This is achieved by maintaining a count
of application use in each users NTUSER.DAT registry file.
http://forensicsfromthesausagefactory.blogspot.com/2010/05/prefetch-and-user-assist.html

This key is suppose to contain information about programs and
shortcuts accessed by the Windows GUI, including execution count and
the date of last execution
http://www.irongeek.com/i.php?page=security/windows-forensics-registry-and-file-system-spots

Registry Keys
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist

Research Links
http://windowsir.blogspot.com/2007/09/more-on-userassist-keys.html

Forensic Programs of Use
http://blog.didierstevens.com/programs/userassist/
http://www.nirsoft.net/utils/userassist_view.html
http://www.RegRipper.net

Leave a Reply

Your Name: (required)

Your Email: (will not be published) (required)

Your Website:

Your Message:

submit comment