Friday, October 5, 2012

UserAssist

We talk a lot about UseAssist key and its structure, but I don;t see much talk about what it really means to forensic investigators.  We've seen its structure change since WinXP and now the run count starts from 0 instead of 5 and it has some strange structures, but the time is still there to interpret. 

First of all, we need to understand what we have to check in order to see if it should keep the list of programs that were executed by the user.  If the values are empty, you should not jump to the conclusion that your suspect must have used an evidence eliminator.  It might have been set by the user previously or by the network administrator group policy.

The following image shows the settings that control is you see anything under your UserAssist key in the registry.  Un-checking the first check box not just disable the application logging, but it also clears the UserAssist key of any existing entries. 






The following registry keys correspond to the check boxes above.

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackDocs
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_TrackProgs









Disabling the program logging ( TrackProgs ) will also update the following key.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.exe\OpenWithProgids\exefile

Since the start Menu properties window also includes the Power Button Action settings, every time you apply your settings changes, you will see this value also accessed.
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_PowerButtonAction

Note: Just in case if you are interested, its values are:
2             - shut down
1             - log off
256         - switch user
512         - lock
4             - restart
2097168 - sleep


So, the main question I wanted to answer was: Is UserAssist key keeps track of applications that were ran on a machine by a user?




Legend:
Green - Always 0s or Fs
Pink - Run count
Blue - Focus count
Orange - Focus time
Light orange - always same
green - always Fs
Purple - last run time
Red - unused

As you can see above, I can see that I launched calc.exe from its default location twice ( pink area ), but after I've moved it to c:\temp and wanted to start calc.exe, it did not launch and still showed the application run count.  Therefore, my conclusion is that you can not reliably determine how many times a user used an application, but how many time he/she tried to use it.

No comments:

Post a Comment