UserAssist Key - Windows 7
I have recently been looking at User Assist Keys in the Windows 7 Registry -
Path HKEY_USERS\<USER_ID>\Software\Microsoft\Windows\Explorer \UserAssist
These entries appear to be made up of 72 bytes of data, but I cannot seem to find information on decoding these. I am looking for the last executed time and the run count.
After research online I found out that the last 62 bits consist of the Windows Timestamp for the last execution time. However I am still searching for the run count.
From the information I have found online it suggest that byte 4, with index of 0, is a 32 bit integer with the amount of times a program has been executed yet in the testing I have done does not seem to confirm this.
I was wondering if anyone had any information on this, or a breakdown of the 72 byte structure would be fantastic.
If you do a search for "Didier Stevens UserAssist", he wrote a tool that displays the data from these encrypted UserAssist entries. A little further down in his blog, he gives a link that works for Windows 7.