Hi guys,
I wanted to know if there is a way to detect the number of execution of a software investigating on the widnows registry. Obviously having an image of the disk under analysis.
Thanks
R
Rossano
If I understand you correctly you want to know how many times a program has been run and the program is one which has been used to look at the windows registry.
You could do this by examining UserAssist in the registry on the computer. I think there is an Enscript for this but I would generally use Didier Stevens tool from http//
H
I don't think that UserAssist logs "everything", in other words, if you find an entry in it, good, if you don't it means NOT that the Registry wasn't accessed (nor it means that it was accessed but the action was not recorded).
Just as an example (and without using "strange" tools) on a test machine clear the entries, then run Regedit
from the RUN box
from double clicking on regedit.exe
from a cmd prompt
and check each time the number in Counter, you will find out that you get 1,2 ….and 2.
jaclaz
I don't think that UserAssist logs "everything", in other words, if you find an entry in it, good, if you don't it means NOT that the Registry wasn't accessed (nor it means that it was accessed but the action was not recorded).
Not to mention that you won't detect programmatic accesses to the registry. If you ran procmon (from Sysinternals) on a live system, you could see this, but not through an examination of the registry, itself.
Gents
Yes I agree that UserAssist does not log everything but it will generally show that a program has been run at least N number of times. How to deal with this rather depends on just what Rossano is hoping to show.
H
The UserAssist key generally records user interaction via the shell (ie, Windows Explorer).
For XP and Vista systems, there are also Prefetch files, whose metadata includes information similar to what the OP was looking for.
There are also other means for determining programs that were run, although not all of them include the number of times…