UserAssist Key - Wi...
 
Notifications
Clear all

UserAssist Key - Windows 7  

  RSS
Kwilley
(@kwilley)
New Member

Hi All,

I have recently been looking at User Assist Keys in the Windows 7 Registry -
Path HKEY_USERS\\Software\Microsoft\Windows\Explorer \UserAssist

These entries appear to be made up of 72 bytes of data, but I cannot seem to find information on decoding these. I am looking for the last executed time and the run count.

After research online I found out that the last 62 bits consist of the Windows Timestamp for the last execution time. However I am still searching for the run count.

From the information I have found online it suggest that byte 4, with index of 0, is a 32 bit integer with the amount of times a program has been executed yet in the testing I have done does not seem to confirm this.

I was wondering if anyone had any information on this, or a breakdown of the 72 byte structure would be fantastic.

Thanks guys,

Quote
Posted : 19/02/2014 10:07 pm
vootz
(@vootz)
Junior Member

Kwilley,
If you do a search for "Didier Stevens UserAssist", he wrote a tool that displays the data from these encrypted UserAssist entries. A little further down in his blog, he gives a link that works for Windows 7.
Thanks

ReplyQuote
Posted : 20/02/2014 12:10 am
Share: